{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8778", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-08T21:02:35.241Z", "datePublished": "2025-09-10T06:38:47.044Z", "dateUpdated": "2026-04-08T17:01:17.377Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:17.377Z"}, "affected": [{"vendor": "nitropack", "product": "NitroPack \u2013 Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.18.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings."}], "title": "NitroPack <= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/750f35ce-0f1c-4a12-a7a0-2c217de277fd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/nitropack/trunk/functions.php#L2907"}, {"url": "https://wordpress.org/plugins/nitropack/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3354452%40nitropack&new=3354452%40nitropack&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-09-09T18:06:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-10T13:37:48.891470Z", "id": "CVE-2025-8778", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T16:11:56.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8778", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-10T13:37:48.891470Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T16:11:18.729Z"}}], "cna": {"title": "NitroPack <= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "nitropack", "product": "NitroPack \u2013 Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.18.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-09T18:06:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/750f35ce-0f1c-4a12-a7a0-2c217de277fd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/nitropack/trunk/functions.php#L2907"}, {"url": "https://wordpress.org/plugins/nitropack/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3354452%40nitropack&new=3354452%40nitropack&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:17.377Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8778", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:01:17.377Z", "dateReserved": "2025-08-08T21:02:35.241Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-10T06:38:47.044Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings."}], "id": "CVE-2025-8778", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-10T07:15:45.843", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/nitropack/trunk/functions.php#L2907"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3354452%40nitropack&new=3354452%40nitropack&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/nitropack/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/750f35ce-0f1c-4a12-a7a0-2c217de277fd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:09:32.073422+00:00", "value": {"mitigation_remediation": ["Update NitroPack to version 1.18.5 or later to obtain the capability check fix.", "If updating is not immediately possible, restrict Subscriber and lower roles from accessing NitroPack settings via role\u2011based access controls.", "Disable or protect the nitropack_set_compression_ajax endpoint at the web server level to prevent unauthorized requests."], "summary": {"action": "Patch", "impact": "Privilege Escalation \u2013 Unauthorized configuration change via subscriber role"}, "threat_synthesis": {"affected_systems": "NitroPack \u2013 Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization, WordPress plugin; all released versions up to and including 1.18.4 are affected.", "description_and_impact": "The missing capability check in the nitropack_set_compression_ajax() function allows an authenticated user with Subscriber or higher privileges to alter the nitropack-enableCompression option. This unauthorized modification changes the compression behaviour of the NitroPack plugin, potentially affecting site performance and data handling but not directly exposing code execution or data exfiltration.", "risk_and_exploitability": "The CVSS score of 4.3 classifies this as low severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires an authenticated account, an attacker must first compromise a Subscriber or higher\u2011ranked user to modify the compression setting. No additional attack surface such as remote code execution is disclosed by the CVE data."}}}}, "created": "2025-09-11T10:42:51.890902+00:00", "updated": "2026-04-21T03:15:16.333154+00:00", "vendors": ["nitropack", "nitropack$PRODUCT$nitropack", "wordpress", "wordpress$PRODUCT$wordpress"]}