cleantalk
Vulnerabilities and Security Researches

NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images, CVE-2025-8778

CVE, Research URL

CVE-2025-8778

Home page URL

Security reports for NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images

Application

NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images

Published on
Sep 10, 2025
Research Description
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
Affected versions
max 1.18.5.
Status
vulnerable
Previous vulnerability researches
Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer (CVE-2024-3602) , Jun 21, 2024
New vulnerability
Getwid – Gutenberg Blocks (CVE-2025-58252) , Apr 24, 2026
Admin and Site Enhancements (ASE) (CVE-2025-9487) , Apr 24, 2026
VikBooking Hotel Booking Engine & PMS (CVE-2025-5803) , Apr 24, 2026
CTX Feed – WooCommerce Product Feed Manager Plugin (CVE-2026-39434) , Apr 24, 2026
Welcart e-Commerce (CVE-2025-9367) , Apr 24, 2026