Description
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
Published: 2025-09-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation – Unauthorized configuration change via subscriber role
Action: Patch
AI Analysis

Impact

The missing capability check in the nitropack_set_compression_ajax() function allows an authenticated user with Subscriber or higher privileges to alter the nitropack-enableCompression option. This unauthorized modification changes the compression behaviour of the NitroPack plugin, potentially affecting site performance and data handling but not directly exposing code execution or data exfiltration.

Affected Systems

NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization, WordPress plugin; all released versions up to and including 1.18.4 are affected.

Risk and Exploitability

The CVSS score of 4.3 classifies this as low severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires an authenticated account, an attacker must first compromise a Subscriber or higher‑ranked user to modify the compression setting. No additional attack surface such as remote code execution is disclosed by the CVE data.

Generated by OpenCVE AI on April 21, 2026 at 03:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NitroPack to version 1.18.5 or later to obtain the capability check fix.
  • If updating is not immediately possible, restrict Subscriber and lower roles from accessing NitroPack settings via role‑based access controls.
  • Disable or protect the nitropack_set_compression_ajax endpoint at the web server level to prevent unauthorized requests.

Generated by OpenCVE AI on April 21, 2026 at 03:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Nitropack
Nitropack nitropack
Wordpress
Wordpress wordpress
Vendors & Products Nitropack
Nitropack nitropack
Wordpress
Wordpress wordpress

Wed, 10 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
Title NitroPack <= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Nitropack Nitropack
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:17.377Z

Reserved: 2025-08-08T21:02:35.241Z

Link: CVE-2025-8778

cve-icon Vulnrichment

Updated: 2025-09-10T16:11:18.729Z

cve-icon NVD

Status : Deferred

Published: 2025-09-10T07:15:45.843

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses