NitroPack WordPress Plugin Missing Authorization Vulnerability in Compression Settings Update

A vulnerability exists in the NitroPack plugin for WordPress, allowing unauthorized data modification. This issue arises from a missing capability check in the 'nitropack_set_compression_ajax()' function, affecting all versions up to and including 1.18.4. The flaw enables authenticated attackers with Subscriber-level access or higher to alter the 'nitropack-enableCompression' option, thereby changing the plugin's compression settings.

Impact

Exploitation of this vulnerability allows for unauthorized changes to the NitroPack plugin's compression settings, which could disrupt website performance optimization.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access must send a request to the 'nitropack_set_compression_ajax()' function without the necessary capability. This can be done by omitting the authorization check that normally prevents unauthorized users from modifying compression settings.

Remediation

Users are advised to update the NitroPack WordPress plugin to version 1.18.5 or later, where this vulnerability has been patched.