Refine your search
4 vulnerabilities found for by NitroPack
CVE-2026-39669 (GCVE-0-2026-39669)
Vulnerability from cvelistv5
Published
2026-04-08 08:30
Modified
2026-04-28 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in NitroPack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through 1.19.3.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39669",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T18:32:17.172895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T17:23:59.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "nitropack",
"product": "NitroPack",
"vendor": "NitroPack",
"versions": [
{
"changes": [
{
"at": "1.19.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.19.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Steven Julian | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in NitroPack allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects NitroPack: from n/a through 1.19.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in NitroPack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through 1.19.3."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T11:35:06.542Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress NitroPack plugin to the latest available version (at least 1.19.4)."
}
],
"value": "Update the WordPress NitroPack plugin to the latest available version (at least 1.19.4)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress NitroPack plugin \u003c= 1.19.3 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-39669",
"datePublished": "2026-04-08T08:30:38.737Z",
"dateReserved": "2026-04-07T10:57:59.671Z",
"dateUpdated": "2026-04-28T17:23:59.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8778 (GCVE-0-2025-8778)
Vulnerability from cvelistv5
Published
2025-09-10 06:38
Modified
2026-04-08 17:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nitropack | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization |
Version: 0 ≤ 1.18.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:37:48.891470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T16:11:56.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NitroPack \u2013 Performance, Page Speed \u0026 Cache Plugin for Core Web Vitals, CDN \u0026 Image Optimization",
"vendor": "nitropack",
"versions": [
{
"lessThanOrEqual": "1.18.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:17.377Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/750f35ce-0f1c-4a12-a7a0-2c217de277fd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nitropack/trunk/functions.php#L2907"
},
{
"url": "https://wordpress.org/plugins/nitropack/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3354452%40nitropack\u0026new=3354452%40nitropack\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-09T18:06:39.000Z",
"value": "Disclosed"
}
],
"title": "NitroPack \u003c= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8778",
"datePublished": "2025-09-10T06:38:47.044Z",
"dateReserved": "2025-08-08T21:02:35.241Z",
"dateUpdated": "2026-04-08T17:01:17.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11851 (GCVE-0-2024-11851)
Vulnerability from cvelistv5
Published
2025-01-15 11:29
Modified
2026-04-08 17:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nitropack | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization |
Version: 0 ≤ 1.17.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:33:40.839966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:33:45.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NitroPack \u2013 Performance, Page Speed \u0026 Cache Plugin for Core Web Vitals, CDN \u0026 Image Optimization",
"vendor": "nitropack",
"versions": [
{
"lessThanOrEqual": "1.17.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sean Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:26.026Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8945bae7-2224-4d9f-b693-10c94c94dea0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3211235/nitropack"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-27T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "NitroPack \u003c= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11851",
"datePublished": "2025-01-15T11:29:52.770Z",
"dateReserved": "2024-11-26T21:18:43.921Z",
"dateUpdated": "2026-04-08T17:05:26.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11848 (GCVE-0-2024-11848)
Vulnerability from cvelistv5
Published
2025-01-15 11:24
Modified
2026-04-08 16:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of '1' which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nitropack | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization |
Version: 0 ≤ 1.17.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:34:16.632759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:34:27.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NitroPack \u2013 Performance, Page Speed \u0026 Cache Plugin for Core Web Vitals, CDN \u0026 Image Optimization",
"vendor": "nitropack",
"versions": [
{
"lessThanOrEqual": "1.17.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sean Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027nitropack_dismiss_notice_forever\u0027 AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of \u00271\u0027 which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:40:44.324Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e1b06d0-f348-4a8b-8730-a87d8e2ba2a1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3211235/nitropack"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-27T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "NitroPack \u003c= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11848",
"datePublished": "2025-01-15T11:24:35.912Z",
"dateReserved": "2024-11-26T20:55:33.085Z",
"dateUpdated": "2026-04-08T16:40:44.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}