Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3.
AnalysisAI
NitroPack WordPress plugin through version 1.19.3 allows remote unauthenticated attackers to modify plugin settings via incorrectly configured access control checks, enabling unauthorized changes to website optimization and caching configurations. The vulnerability requires only network access and no user interaction, affecting default installations. Despite the CVSS 5.3 score indicating integrity impact, real-world exploitation risk is extremely low (EPSS 0.02%, 4th percentile), suggesting limited practical exploitability or narrow attack scope in production environments.
Technical ContextAI
NitroPack is a WordPress plugin providing website optimization, caching, and performance enhancement functionality. The vulnerability stems from CWE-862 (Missing Authorization), indicating that access control checks for administrative functions are either absent or improperly implemented. The plugin fails to validate user permissions before accepting requests that modify settings, allowing unauthenticated users to interact with functionality intended for site administrators. WordPress plugins typically leverage role-based access control through the capabilities system; this plugin appears to skip or misconfigure those checks for certain endpoints or settings modifications.
RemediationAI
Update NitroPack to version 1.19.4 or later, which includes proper authorization checks for administrative functions. For WordPress sites unable to update immediately, temporarily disable the NitroPack plugin via the WordPress admin dashboard (Plugins > Installed Plugins > Deactivate) until patches are applied. Verify authorization fixes through the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability. Monitor for any configuration changes made to the plugin settings after the vulnerability window and before patching.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20344
GHSA-hp4v-mqpf-9mwh