CVE-2024-11848
Published: 15 January 2025
Description
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of '1' which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition.
Security Summary
CVE-2024-11848 is a vulnerability in the NitroPack plugin for WordPress, affecting all versions up to and including 1.17.0. It stems from a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action, enabling unauthorized modification of data. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is classified under CWE-862 (Missing Authorization).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows them to update arbitrary WordPress options to a fixed value of '1', potentially activating features such as user registration or modifying options in ways that lead to denial-of-service conditions.
Mitigation guidance is provided in the WordPress plugin trac changeset 3211235 for NitroPack, which addresses the issue, and the Wordfence threat intelligence advisory detailing the vulnerability. Security practitioners should update to a patched version of the plugin beyond 1.17.0.
Details
- CWE(s)