[wp-trac] [WordPress Trac] #63882: Plugins: Preflight activation to avoid WSOD when plugin code uses syntax incompatible with PHP runtime

WordPress Trac noreply at wordpress.org
Tue Aug 26 17:35:58 UTC 2025 

#63882: Plugins: Preflight activation to avoid WSOD when plugin code uses syntax
incompatible with PHP runtime
-----------------------------------------------+---------------------------
 Reporter:  codad5                             |      Owner:  (none)
     Type:  defect (bug)                       |     Status:  new
 Priority:  normal                             |  Milestone:  Awaiting
                                               |  Review
Component:  Plugins                            |    Version:  6.8.2
 Severity:  major                              |   Keywords:  has-patch
  Focuses:  sustainability, php-compatibility  |  needs-testing
-----------------------------------------------+---------------------------
 Problem
 -------
 Activating a plugin whose code is valid only on newer PHP versions (for
 example, using `false` as a return type in PHP 8.3) on a site running an
 older PHP version (e.g. PHP 8.0) can produce a fatal parse error. Because
 the plugin can already be persisted as "active" before compatibility is
 verified, the site can end up in a broken/white-screen state that requires
 DB or filesystem access to recover.

 Steps to reproduce
 ------------------
 1. On a site running PHP 8.0, install a plugin whose main file uses syntax
 valid in PHP 8.3 (e.g., `function foo(): false {}`).
 2. Attempt to activate the plugin via wp-admin → Plugins → Activate.
 3. The site will display a fatal parse error and the plugin will be in the
 active_plugins list, causing further loads to attempt to include it.

 Expected
 --------
 Plugin activation should perform a preflight check and not persist a
 plugin as active if its main file produces a fatal/parsing error. A failed
 activation should abort and leave the active_plugins option unchanged.

 Proposed solution
 -----------------
 Before updating `active_plugins`, preflight-load the plugin main file
 (sandboxed). If loading produces a fatal error (parse or otherwise), abort
 activation and show the error without saving the plugin as active.
 Implementation changes are proposed in:
 - `src/wp-admin/includes/plugin.php` (inside `activate_plugin()`)
 - Unit tests added in `tests/phpunit/tests/admin/includesPlugin.php`

 Patch/PR
 -------
 A PR is available on GitHub and this ticket will include the patch. Please
 see linked PR for details.

 Environment tested
 ------------------
 - WordPress: <trunk>
 - PHP: 8.3 (plugin syntax that causes repro)
 - OS: Windows 11
 - Browser: Google Chrome

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63882>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list