Unauthorized Data Modification in NitroPack Plugin for WordPress
CVE-2024-11848

8.1HIGH

Key Information:

Vendor
Wordpress
Status
Nitropack – Caching & Speed Optimization For Core Web Vitals, Defer Css & Js, Lazy Load Images And Cdn
Vendor
CVE Published:
15 January 2025

Summary

The NitroPack plugin for WordPress is exposed to a vulnerability that allows users with subscriber-level access and higher to modify data without the necessary capability checks. Specifically, the 'nitropack_dismiss_notice_forever' AJAX action is affected, enabling unauthorized changes like activating user registration or altering options that may lead to denial of service. This issue exists in all versions up to and including 1.17.0, posing a significant risk to WordPress sites utilizing this plugin.

Affected Version(s)

NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN * <= 1.17.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3211235/nitr...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sean Murphy
.