cleantalk
Vulnerabilities and Security Researches

NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images, CVE-2025-8778

CVE, Research URL

CVE-2025-8778

Home page URL

Security reports for NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images

Application

NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images

Published on
Sep 10, 2025
Research Description
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
Affected versions
max 1.18.5.
Status
vulnerable
Previous vulnerability researches
WP Photo Album Plus (CVE-2021-25115) , Jun 07, 2024
WP Photo Album Plus (CVE-2015-3647) , Jun 07, 2024
WP Photo Album Plus (CVE-2023-49813) , Jun 07, 2024
WP Photo Album Plus (CVE-2023-49774) , Jun 07, 2024
WP Photo Album Plus (CVE-2024-4037) , Jun 07, 2024
New vulnerability
Quran Live Multilanguage (CVE-2026-4074) , Apr 24, 2026
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts (CVE-2025-58269) , Apr 24, 2026
AnyClip Luminous Studio (CVE-2025-58271) , Apr 24, 2026
Getwid – Gutenberg Blocks (CVE-2025-58252) , Apr 24, 2026
Admin and Site Enhancements (ASE) (CVE-2025-9487) , Apr 24, 2026