Skip to main content

Nitropack EUVDEUVD-2026-20344

| CVE-2026-39669 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-hp4v-mqpf-9mwh
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20344
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3.

AnalysisAI

NitroPack WordPress plugin through version 1.19.3 allows remote unauthenticated attackers to modify plugin settings via incorrectly configured access control checks, enabling unauthorized changes to website optimization and caching configurations. The vulnerability requires only network access and no user interaction, affecting default installations. Despite the CVSS 5.3 score indicating integrity impact, real-world exploitation risk is extremely low (EPSS 0.02%, 4th percentile), suggesting limited practical exploitability or narrow attack scope in production environments.

Technical ContextAI

NitroPack is a WordPress plugin providing website optimization, caching, and performance enhancement functionality. The vulnerability stems from CWE-862 (Missing Authorization), indicating that access control checks for administrative functions are either absent or improperly implemented. The plugin fails to validate user permissions before accepting requests that modify settings, allowing unauthenticated users to interact with functionality intended for site administrators. WordPress plugins typically leverage role-based access control through the capabilities system; this plugin appears to skip or misconfigure those checks for certain endpoints or settings modifications.

RemediationAI

Update NitroPack to version 1.19.4 or later, which includes proper authorization checks for administrative functions. For WordPress sites unable to update immediately, temporarily disable the NitroPack plugin via the WordPress admin dashboard (Plugins > Installed Plugins > Deactivate) until patches are applied. Verify authorization fixes through the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability. Monitor for any configuration changes made to the plugin settings after the vulnerability window and before patching.

Share

EUVD-2026-20344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy