NitroPack < 1.10.0 – Missing Authorization via multiple AJAX functions | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX function in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with subscriber access and above, to perform actions such as clearing cache, dismiss admin notifications, or enabling safe mode.

Affects Plugins

Fixed in 1.10.0

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/fb6f4b0b-25b8-4dcd-b002-293ce8ab307e

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

43720d66-406c-4eec-b25e-e9dda022ebf2

Timeline

Publicly Published

2023-11-07 (about 2 years ago)

Added

2024-01-12 (about 2 years ago)

Last Updated

2024-01-12 (about 2 years ago)

Other

Published

Title

Published

2024-04-22

Title

Quick Featured Images < 13.7.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Thumbnail Deletion/Setting

Published

2024-11-25

Title

Spam protection, Anti-Spam, FireWall by CleanTalk < 6.44 - Unauthenticated Arbitrary Plugin Installation

Published

2025-03-24

Title

sourceplay-navermap <= 0.0.2 - Missing Authorization

Published

2024-12-14

Title

Popup Surveys & Polls for WordPress (Mare.io) <= 1.36 - Missing Authorization

Published

2026-02-18

Title

Dealia – Request a quote < 1.0.8 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset