Live Blog

rtCamp Nginx Helper Plugin Security Vulnerability

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!


If you haven’t heard already, the Nginx Helper Plugin by rtCamp has an unpublished security vulnerability. Here’s the listing from patchstack.

Patchstack Report

WordPress Nginx Helper plugin

There is an issue currently on the Github repository owned by rtCamp

Great Plugin! Please issue a security fix! · Issue #315 · rtCamp/nginx-helper · GitHub

Hopefully it get’s patched soon.

Update #1

After talking with Oliver Sid, he had the following to say. During this time the report had been taken down.

It looks like it was disputed by rtCamp and therefore a decision was made to remove it. It was reconsidered to be a possible security improvement instead. But this also explains why it was Low priority, etc. It’s very rare that such things happen, but I guess there was some kind of misunderstanding.

The initial report involved certain data being written to a public .log file. It’s a very common issue that leads to a sensitive data exposure. However, after the re-evaluation, we determined that in this case the data is not sensitive enough to pose any security risk and therefore decided to reject the report and remove the vulnerability entry.

We haven’t had such situations really, so it’s a shame that we can’t leave an entry open with a note that it was revoked or smth like that. We’ll add that to the backlog just in case for the future so it’s more transparent when something like this might happen again.

Olive Sid, Patchstack

There was a posting by someone from rtCamp on the Github Issue.

@JLoRenderer @jordantrizz

We have confirmed that the concern raised was not a security issue, and at no point was there any compromise to the sites using Nginx Helper plugin.

Following our detailed communication, Patchstack has re-evaluated the situation and has accordingly removed the entry from their database.

Therefore, we are closing this issue. Thank you for your attention to this matter.




  • 01-12-2023 – Provided update of delisting and Oliver Sid’s response.