Contributors: SudoWP, WP Republic
Original Authors: Stuart O'Brien, cxThemes
Tags: hooks, actions, filters, developer-tool, debug, security-fork, cve-2024-6297
Requires at least: 5.8
Tested up to: 6.7
Stable tag: 1.3.2
License: GPLv2 or later
This is a security-hardened fork of the abandoned "Simply Show Hooks" plugin. The original plugin was compromised in a supply chain attack (CVE-2024-6297) and permanently closed by WordPress.
This SudoWP edition is:
- Clean: Guaranteed free from the CVE-2024-6297 backdoor.
- Patched: Fixes legacy Cross-Site Scripting (XSS) vulnerabilities found in the visualization output.
- CSRF Protected: All state changes are protected with WordPress nonces.
- OWASP Compliant: Follows OWASP Top 10 security best practices.
For detailed security information, see SECURITY.md.
SudoWP Hooks Visualizer is a developer tool that helps you see where all the action and filter hooks are firing on any WordPress page. It is a secure, modernized version of the classic "Simply Show Hooks".
Key Features:
- Visual Hook Map: Displays hooks directly on the page where they trigger.
- Deep Inspection: See attached functions, their priority, and accepted arguments.
- Security Hardened: Input validation prevents XSS vectors found in legacy debugging tools.
- One-Click Toggle: Enable or disable globally via the Admin Bar.
- Download the plugin zip file (or clone this repo).
- Important: Deactivate and delete the original "Simply Show Hooks" plugin if installed.
- Upload the
sudowp-hooks-visualizerfolder to your/wp-content/plugins/directory. - Activate the plugin through the 'Plugins' menu in WordPress.
- Look for the "SudoWP Hooks" menu in your Admin Bar.
Why did you fork this? The original tool was incredibly useful but abandoned and later compromised. We rely on it for debugging, so we patched it to ensure it remains safe and compatible with newer PHP versions.
Is it safe to keep active? While we have hardened the security, this is primarily a debugging tool. We recommend activating it only when you are actively developing or troubleshooting a site, and keeping it inactive otherwise.
- Security Fix: Added CSRF protection with WordPress nonces for all state changes.
- Security Fix: Enhanced authorization checks - all rendering methods now verify
manage_optionscapability. - Security Fix: Improved input validation with strict type checking for hook names and arguments.
- Security Fix: Added X-Content-Type-Options security header to prevent MIME type sniffing.
- Security Fix: Fixed COOKIE_DOMAIN handling to support environments where it's undefined.
- Security Enhancement: Improved direct file access prevention.
- Documentation: Added comprehensive SECURITY.md following OWASP framework.
- Security Fix: Guaranteed clean from CVE-2024-6297 (Supply Chain Attack).
- Security Fix: Implemented strict sanitization for all user inputs (
$_GET,$_COOKIE) to prevent XSS. - Security Fix: Hardened cookie setting with secure flags.
- Maintenance: Refactored codebase to use
SudoWP_namespace and prevent conflicts. - Rebrand: Forked as SudoWP Hooks Visualizer.
Maintained by the SudoWP Security Project.