Vulnerabilities and security researches fornitropack nitropack
Direction: ascendingJun 07, 2024
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images # CVE-2023-52121
- CVE, Research URL
- Application
- Date
- Jan 05, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in NitroPack Inc. NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images.This issue affects NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images: from n/a through 1.10.2.
- Affected versions
-
max 1.10.0.
- Status
-
vulnerable
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images # CVE-2023-6034
- CVE, Research URL
-
-
- Application
- Date
- Nov 14, 2023
- Research Description
- Rejected reason: Accidental request.
- Affected versions
-
max 1.10.0.
- Status
-
vulnerable
Aug 29, 2024
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images # CVE-2024-43922
- CVE, Research URL
- Application
- Date
- Aug 29, 2024
- Research Description
- Improper Control of Generation of Code ('Code Injection') vulnerability in NitroPack Inc. NitroPack allows Code Injection.This issue affects NitroPack: from n/a through 1.16.7.
- Affected versions
-
max 1.16.8.
- Status
-
vulnerable
Jan 15, 2025
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images # CVE-2024-11848
- CVE, Research URL
- Application
- Date
- Jan 15, 2025
- Research Description
- The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of '1' which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition.
- Affected versions
-
max 1.17.6.
- Status
-
vulnerable
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images # CVE-2024-11851
- CVE, Research URL
- Application
- Date
- Jan 15, 2025
- Research Description
- The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values.
- Affected versions
-
max 1.17.6.
- Status
-
vulnerable
Apr 13, 2026
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images # CVE-2026-39669
- CVE, Research URL
- Application
- Date
- Apr 08, 2026
- Research Description
- Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3.
- Affected versions
-
max 1.19.3.
- Status
-
vulnerable
Apr 24, 2026
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images # CVE-2025-8778
- CVE, Research URL
- Application
- Date
- Sep 10, 2025
- Research Description
- The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
- Affected versions
-
max 1.18.5.
- Status
-
vulnerable