Title: Security issue Last modified: January 8, 2024 --- # Security issue * Resolved [caordawebsol](https://wordpress.org/support/users/caordawebsol/) * (@caordawebsol) * [2 years, 4 months ago](https://wordpress.org/support/topic/security-issue-158/) * iThemes / Patchstack just started reporting this vulnerability. Will you be issuing a fix? * WordPress Nginx Helper plugin <= 2.2.3 – Sensitive Data Exposure vulnerability * [View in Patchstack](https://patchstack.com/database/vulnerability/nginx-helper/wordpress-nginx-helper-plugin-2-2-3-sensitive-data-exposure-vulnerability?_a_id=431) Viewing 6 replies - 1 through 6 (of 6 total) * Plugin Contributor [Gagan Deep Singh](https://wordpress.org/support/users/gagan0123/) * (@gagan0123) * [2 years, 3 months ago](https://wordpress.org/support/topic/security-issue-158/#post-17338284) * [@caordawebsol](https://wordpress.org/support/users/caordawebsol/) * We have confirmed that the concern raised was not a security issue, and at no point was there any compromise to the sites using Nginx Helper. * Following our detailed communication, Patchstack has re-evaluated the situation and has accordingly removed the entry from their database. * Therefore, we are marking this ticket as resolved. Thank you for your attention to this matter and notifying us. * [dpitzer](https://wordpress.org/support/users/dpitzer/) * (@dpitzer) * [2 years, 3 months ago](https://wordpress.org/support/topic/security-issue-158/#post-17339496) * I do not believe this is resolved as Blogvault is now reporting a vulnerability in the WordPress Nginx Helper plugin <= 2.2.3 too. Please advise. * Plugin Contributor [Gagan Deep Singh](https://wordpress.org/support/users/gagan0123/) * (@gagan0123) * [2 years, 3 months ago](https://wordpress.org/support/topic/security-issue-158/#post-17339945) * [@dpitzer](https://wordpress.org/support/users/dpitzer/) * Well, thats what happens when services blindly trust third-party databases and apply caching on top of that. * [jordantrizz](https://wordpress.org/support/users/jordantrizz/) * (@jordantrizz) * [2 years, 3 months ago](https://wordpress.org/support/topic/security-issue-158/#post-17344889) * [@gagan0123](https://wordpress.org/support/users/gagan0123/) * Do you mean the leading reporter of CVEs? [https://jerrygamblin.com/2024/01/03/2023-cve-data-review/](https://jerrygamblin.com/2024/01/03/2023-cve-data-review/) There’s a gaping hole of observability on WordPress plugin security issues and data leakage. So instead of a full disclosure of what was reported and why you consider it irrelevant, you simply made the decision for everyone who utilizes your plugin. Your plugin is open source, and as such you should be more transparent about reports like this, even if they’re incorrect. * Also, Patchstack removed the report. No hate, I’m sure you would want other developers and companies to be transparent about this same subject. * Plugin Contributor [Gagan Deep Singh](https://wordpress.org/support/users/gagan0123/) * (@gagan0123) * [2 years, 3 months ago](https://wordpress.org/support/topic/security-issue-158/#post-17352986) * [@jordantrizz](https://wordpress.org/support/users/jordantrizz/) * To shed more light on the issue, a concern was initially reported to Patchstack about our plugin’s logging functionality. After investigation, we clarified to Patchstack that the logging feature of our plugin, when enabled, does not record sensitive information. Instead, it only logs routine activities like the purging of specific URLs from the cache. This information is standard for operational logs when debugging and does not pose a security risk or contain any sensitive information. * Also, our plugin requires explicit action from administrator account to activate logging, and by default, it does not generate or expose any data. Furthermore, in our extensive testing with various respected hosting providers, we found that they already have measures in place to block public access to all log files, adding an additional layer of security. * Based on the detailed information and analysis we provided, Patchstack reassessed the report and concluded that it was not a security issue. Consequently, they have removed the entry from their database. * We understand the importance of security to our users and assure you that we uphold the highest standards in safeguarding our plugin. Your trust in our commitment to security is invaluable, and we remain dedicated to transparent communication about any such concerns. * If you have further questions or need more information, please feel free to reach out to us. * [jordantrizz](https://wordpress.org/support/users/jordantrizz/) * (@jordantrizz) * [2 years, 3 months ago](https://wordpress.org/support/topic/security-issue-158/#post-17354461) * [@gagan0123](https://wordpress.org/support/users/gagan0123/) * Thank you for the reply and for providing a more in-depth update. What was the specific concern of the reporter? I’ve never used this feature, so I’m interested in why they thought it was a security concern. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘Security issue’ is closed to new replies. * ![](https://ps.w.org/nginx-helper/assets/icon.svg?rev=2360932) * [Nginx Helper](https://wordpress.org/plugins/nginx-helper/) * [Frequently Asked Questions](https://wordpress.org/plugins/nginx-helper/#faq) * [Support Threads](https://wordpress.org/support/plugin/nginx-helper/) * [Active Topics](https://wordpress.org/support/plugin/nginx-helper/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/nginx-helper/unresolved/) * [Reviews](https://wordpress.org/support/plugin/nginx-helper/reviews/) * 9 replies * 4 participants * Last reply from: [jordantrizz](https://wordpress.org/support/users/jordantrizz/) * Last activity: [2 years, 3 months ago](https://wordpress.org/support/topic/security-issue-158/#post-17354461) * Status: resolved