{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39669", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:59.671Z", "datePublished": "2026-04-08T08:30:38.737Z", "dateUpdated": "2026-04-08T08:30:38.737Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "nitropack", "product": "NitroPack", "vendor": "NitroPack", "versions": [{"lessThanOrEqual": "1.19.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:42.689Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NitroPack: from n/a through <= 1.19.3.</p>"}], "value": "Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:38.737Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress NitroPack plugin <= 1.19.3 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3."}], "id": "CVE-2026-39669", "lastModified": "2026-04-08T09:16:38.297", "metrics": {}, "published": "2026-04-08T09:16:38.297", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.19.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NitroPack", "source": "cna", "vendor": "NitroPack"}, "product": "nitropack", "vendor": "nitropack"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:00:21.600301+00:00", "value": {"mitigation_remediation": ["Update NitroPack to the latest version (>=1.20) or any release that resolves the access control issue.", "If updating is not immediately possible, restrict file permissions on the plugin files to prevent editing by non\u2011admin users.", "Verify WordPress user roles have correct capabilities, and consider disabling NitroPack until a patch is applied.", "Monitor the plugin\u2019s access logs for anomalous activity and block suspicious IP addresses."], "summary": {"action": "Immediate Patch", "impact": "Unprivileged access to NitroPack administrative functions"}, "threat_synthesis": {"affected_systems": "WordPress sites using NitroPack plugin versions up to and including 1.19.3 are affected. The plugin is available for all standard WordPress installations that rely on NitroPack for optimization and caching, and every site running any of these affected plugin versions is at risk.", "description_and_impact": "The vulnerability arises from a missing authorization check that allows a malicious actor to access NitroPack settings without proper credentials. This can lead to unauthorized modification of plugin configurations, potentially rolling back performance optimizations, and exposing any sensitive data stored within the plugin. The weakness stems from an absence of proper access control verification, a type of missing authorization flaw.", "risk_and_exploitability": "The flaw permits full administrative control over NitroPack, enabling attackers to alter configurations or potentially reveal cached content. No exploitation code is publicly referenced, and the vulnerability is not listed in the Known Exploited Vulnerabilities catalog. EPSS data is unavailable, so the likelihood of exploitation is uncertain, but the potential impact of gaining unprivileged administrative access is high."}}}}, "created": "2026-04-08T19:28:03.949568+00:00", "updated": "2026-04-08T19:41:07.254154+00:00", "vendors": ["nitropack", "nitropack$PRODUCT$nitropack", "wordpress", "wordpress$PRODUCT$wordpress"]}