This is an epic sigh, failure moment.
According to the documentation, WordPress allows the setup of debugging to a file, when issues are encountered inside the software. All well and good, I’d expect that. What I wouldn’t expect is the file it dumps the data into – to be WORLD READABLE!
But I suppose this is WordPress, and they’re well known for doing dumb shit like this constantly.
If you run WordPress, please make sure this file is not world-readable – please protect it with your Apache/Nginx/IIS config – don’t rely on it not being visible in a directory list!