Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization by nitropack
CVE-2025-8778 (GCVE-0-2025-8778)
Vulnerability from nvd – Published: 2025-09-10 06:38 – Updated: 2026-04-08 17:01
VLAI?
Title
NitroPack <= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function
Summary
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nitropack | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization |
Affected:
0 , ≤ 1.18.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:37:48.891470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T16:11:56.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NitroPack \u2013 Performance, Page Speed \u0026 Cache Plugin for Core Web Vitals, CDN \u0026 Image Optimization",
"vendor": "nitropack",
"versions": [
{
"lessThanOrEqual": "1.18.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:17.377Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/750f35ce-0f1c-4a12-a7a0-2c217de277fd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nitropack/trunk/functions.php#L2907"
},
{
"url": "https://wordpress.org/plugins/nitropack/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3354452%40nitropack\u0026new=3354452%40nitropack\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-09T18:06:39.000Z",
"value": "Disclosed"
}
],
"title": "NitroPack \u003c= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8778",
"datePublished": "2025-09-10T06:38:47.044Z",
"dateReserved": "2025-08-08T21:02:35.241Z",
"dateUpdated": "2026-04-08T17:01:17.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11851 (GCVE-0-2024-11851)
Vulnerability from nvd – Published: 2025-01-15 11:29 – Updated: 2026-04-08 17:05
VLAI?
Title
NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update
Summary
The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nitropack | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization |
Affected:
0 , ≤ 1.17.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:33:40.839966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:33:45.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NitroPack \u2013 Performance, Page Speed \u0026 Cache Plugin for Core Web Vitals, CDN \u0026 Image Optimization",
"vendor": "nitropack",
"versions": [
{
"lessThanOrEqual": "1.17.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sean Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:26.026Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8945bae7-2224-4d9f-b693-10c94c94dea0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3211235/nitropack"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-27T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "NitroPack \u003c= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11851",
"datePublished": "2025-01-15T11:29:52.770Z",
"dateReserved": "2024-11-26T21:18:43.921Z",
"dateUpdated": "2026-04-08T17:05:26.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11848 (GCVE-0-2024-11848)
Vulnerability from nvd – Published: 2025-01-15 11:24 – Updated: 2026-04-08 16:40
VLAI?
Title
NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Summary
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of '1' which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nitropack | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization |
Affected:
0 , ≤ 1.17.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:34:16.632759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:34:27.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NitroPack \u2013 Performance, Page Speed \u0026 Cache Plugin for Core Web Vitals, CDN \u0026 Image Optimization",
"vendor": "nitropack",
"versions": [
{
"lessThanOrEqual": "1.17.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sean Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027nitropack_dismiss_notice_forever\u0027 AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of \u00271\u0027 which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:40:44.324Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e1b06d0-f348-4a8b-8730-a87d8e2ba2a1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3211235/nitropack"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-27T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "NitroPack \u003c= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11848",
"datePublished": "2025-01-15T11:24:35.912Z",
"dateReserved": "2024-11-26T20:55:33.085Z",
"dateUpdated": "2026-04-08T16:40:44.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8778 (GCVE-0-2025-8778)
Vulnerability from cvelistv5 – Published: 2025-09-10 06:38 – Updated: 2026-04-08 17:01
VLAI?
Title
NitroPack <= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function
Summary
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nitropack | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization |
Affected:
0 , ≤ 1.18.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:37:48.891470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T16:11:56.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NitroPack \u2013 Performance, Page Speed \u0026 Cache Plugin for Core Web Vitals, CDN \u0026 Image Optimization",
"vendor": "nitropack",
"versions": [
{
"lessThanOrEqual": "1.18.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:17.377Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/750f35ce-0f1c-4a12-a7a0-2c217de277fd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nitropack/trunk/functions.php#L2907"
},
{
"url": "https://wordpress.org/plugins/nitropack/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3354452%40nitropack\u0026new=3354452%40nitropack\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-09T18:06:39.000Z",
"value": "Disclosed"
}
],
"title": "NitroPack \u003c= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8778",
"datePublished": "2025-09-10T06:38:47.044Z",
"dateReserved": "2025-08-08T21:02:35.241Z",
"dateUpdated": "2026-04-08T17:01:17.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11851 (GCVE-0-2024-11851)
Vulnerability from cvelistv5 – Published: 2025-01-15 11:29 – Updated: 2026-04-08 17:05
VLAI?
Title
NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update
Summary
The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nitropack | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization |
Affected:
0 , ≤ 1.17.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:33:40.839966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:33:45.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NitroPack \u2013 Performance, Page Speed \u0026 Cache Plugin for Core Web Vitals, CDN \u0026 Image Optimization",
"vendor": "nitropack",
"versions": [
{
"lessThanOrEqual": "1.17.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sean Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:26.026Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8945bae7-2224-4d9f-b693-10c94c94dea0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3211235/nitropack"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-27T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "NitroPack \u003c= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11851",
"datePublished": "2025-01-15T11:29:52.770Z",
"dateReserved": "2024-11-26T21:18:43.921Z",
"dateUpdated": "2026-04-08T17:05:26.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11848 (GCVE-0-2024-11848)
Vulnerability from cvelistv5 – Published: 2025-01-15 11:24 – Updated: 2026-04-08 16:40
VLAI?
Title
NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Summary
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of '1' which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nitropack | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization |
Affected:
0 , ≤ 1.17.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:34:16.632759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:34:27.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NitroPack \u2013 Performance, Page Speed \u0026 Cache Plugin for Core Web Vitals, CDN \u0026 Image Optimization",
"vendor": "nitropack",
"versions": [
{
"lessThanOrEqual": "1.17.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sean Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027nitropack_dismiss_notice_forever\u0027 AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of \u00271\u0027 which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:40:44.324Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e1b06d0-f348-4a8b-8730-a87d8e2ba2a1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3211235/nitropack"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-27T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "NitroPack \u003c= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11848",
"datePublished": "2025-01-15T11:24:35.912Z",
"dateReserved": "2024-11-26T20:55:33.085Z",
"dateUpdated": "2026-04-08T16:40:44.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}