Primary

Context

NitroPack WordPress Plugin Missing Authorization Vulnerability in Transient Update

Vulnerability

Patched

A vulnerability exists in the NitroPack plugin for WordPress, allowing authenticated attackers with subscriber access or higher to update arbitrary transients. This issue arises from a missing capability check in the nitropack_rml_notification function, present in all versions through 1.17.0. The vulnerability is limited to updating transients with integer values.

Impact

Exploitation of this vulnerability allows for unauthorized modification of transients, which could potentially be used to manipulate plugin or theme behavior that relies on transient data.

Remediation

Users are advised to update the NitroPack plugin to version 1.17.6 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NitroPack WordPress Plugin Missing Authorization Vulnerability in Transient Update

Vulnerability

Impact

Remediation

Affected Products

NitroPack

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating