Description
Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Unprivileged access to NitroPack administrative functions
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a missing authorization check that allows a malicious actor to access NitroPack settings without proper credentials. This can lead to unauthorized modification of plugin configurations, potentially rolling back performance optimizations, and exposing any sensitive data stored within the plugin. The weakness stems from an absence of proper access control verification, a type of missing authorization flaw.

Affected Systems

WordPress sites using NitroPack plugin versions up to and including 1.19.3 are affected. The plugin is available for all standard WordPress installations that rely on NitroPack for optimization and caching, and every site running any of these affected plugin versions is at risk.

Risk and Exploitability

The flaw permits full administrative control over NitroPack, enabling attackers to alter configurations or potentially reveal cached content. No exploitation code is publicly referenced, and the vulnerability is not listed in the Known Exploited Vulnerabilities catalog. EPSS data is unavailable, so the likelihood of exploitation is uncertain, but the potential impact of gaining unprivileged administrative access is high.

Generated by OpenCVE AI on April 8, 2026 at 10:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NitroPack to the latest version (>=1.20) or any release that resolves the access control issue.
  • If updating is not immediately possible, restrict file permissions on the plugin files to prevent editing by non‑admin users.
  • Verify WordPress user roles have correct capabilities, and consider disabling NitroPack until a patch is applied.
  • Monitor the plugin’s access logs for anomalous activity and block suspicious IP addresses.

Generated by OpenCVE AI on April 8, 2026 at 10:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nitropack
Nitropack nitropack
Wordpress
Wordpress wordpress
Vendors & Products Nitropack
Nitropack nitropack
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3.
Title WordPress NitroPack plugin <= 1.19.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Nitropack Nitropack
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:38.737Z

Reserved: 2026-04-07T10:57:59.671Z

Link: CVE-2026-39669

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:38.297

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:07Z

Weaknesses