NitroPack < 1.17.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update | CVE 2024-11851 | Plugin Vulnerabilities

Description

The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values.

Affects Plugins

Fixed in 1.17.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8945bae7-2224-4d9f-b693-10c94c94dea0

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Sean Murphy

Verified

No

WPVDB ID

400f4a6c-3073-4a82-ac16-328eef7008c7

Timeline

Publicly Published

2025-01-14 (about 1 year ago)

Added

2025-01-15 (about 1 year ago)

Last Updated

2025-01-15 (about 1 year ago)

Other

Published

Title

Published

2025-06-12

Title

Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal < 16.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read

Published

2022-10-31

Title

Restaurant Menu < 2.3.1 - Unauthorised AJAX Calls

Published

2025-10-16

Title

UiChemy < 4.0.1 - Missing Authorization

Published

2026-03-23

Title

Coinbase Commerce – Crypto Gateway for WooCommerce <= 1.6.6 - Missing Authorization

Published

2025-11-06

Title

IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function