Does Phpinfo have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Phpinfo compatible with WordPress 2.2.2?

According to WordPress.org data, Phpinfo 1.1 has been tested up to WordPress 2.2.2. Check the plugin's changelog for the latest compatibility information.

How often is Phpinfo updated?

Phpinfo was last updated on Sep 14, 2007. Frequent updates are generally a positive security signal.

What is Phpinfo's security score?

Phpinfo has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Phpinfo Security & Risk Analysis

wordpress.org/plugins/phpinfo

Prints out your webservers php settings as well as other information about your WordPress installation.

100 active installs v1.1 PHP + WP 1.5+ Updated Sep 14, 2007

configurationdebuggingphpinfoservertroubleshooting

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Phpinfo Safe to Use in 2026?

Generally Safe

Score 85/100

Phpinfo has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 18yr ago

Risk Assessment

The "phpinfo" v1.1 plugin presents a concerning security posture despite a clean vulnerability history. While the static analysis shows a minimal attack surface and no dangerous functions or direct SQL injection risks, the complete lack of output escaping for all 14 outputs is a significant vulnerability. This means any dynamic data displayed by the plugin is susceptible to cross-site scripting (XSS) attacks. Additionally, the taint analysis revealing two flows with unsanitized paths, although not classified as critical or high severity, suggests potential for unexpected behavior or information leakage if the plugin interacts with user-supplied data in ways not immediately obvious. The absence of vulnerability history is a positive indicator, but it does not mitigate the immediate risks identified in the code analysis.

Overall, the plugin's strengths lie in its limited attack surface and lack of known exploitable vulnerabilities. However, the critical flaw of unescaped output creates a significant XSS risk that could be leveraged by an attacker. The presence of unsanitized paths, while not high severity, warrants further investigation. The plugin is best avoided or heavily audited and modified before deployment in a production environment, prioritizing the implementation of proper output escaping mechanisms.

Key Concerns

100% of outputs are unescaped
Taint analysis shows unsanitized paths
No nonce checks
No capability checks

Vulnerabilities

None known

Phpinfo Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Phpinfo Release Timeline

v1.1Current

v1.0

Code Analysis

Analyzed Mar 16, 2026

Phpinfo Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped14 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

dprx_phpinfo_manage_page (phpinfo.php:24)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Phpinfo Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 2

actioninitphpinfo.php:11

actionadmin_menuphpinfo.php:18

Maintenance & Trust

Phpinfo Maintenance & Trust

Maintenance Signals

WordPress version tested2.2.2

Last updatedSep 14, 2007

PHP min version

Downloads16K

Community Trust

Rating70/100

Number of ratings2

Active installs100

Alternatives

Phpinfo Alternatives

WP-ServerInfo

wp-serverinfo

Display your host's PHP, MYSQL & memcached (if installed) information on your WordPress dashboard.

10K No CVEs

phpinfo() WP

phpinfo-wp

A simple plugin to look up server info and manage server configuration of wordpress site

3K 2 CVEs

WP Safe Mode

wp-safe-mode

Disable plugins or switch themes for just you or the whole site for debugging, troubleshooting or accessing and restoring a broken website.

2K No CVEs

atec System Info

atec-system-info

100

atec System Info (Operating system, server, memory, PHP and database details)

300 No CVEs

PHP Server Info

php-server-info

A very simple plugin for displaying full PHP Info from within the WordPress Admin menu.

200 No CVEs

Developer Profile

Phpinfo Developer Profile

Roland Rust

9 plugins · 180 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Phpinfo

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes

wrap

Data Attributes

id="bkpwp_manage_backups_table"

Shortcode Output

<textarea style="width:100%; height: 260px;"><h2><?php _e('Phpinfo') ?></h2><th scope="col"><?php _e("Configuration","dprx_phpinfo"); ?></th><th scope="col"><?php _e("php_ini","dprx_phpinfo"); ?></th>

FAQ