{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39669", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:59.671Z", "datePublished": "2026-04-08T08:30:38.737Z", "dateUpdated": "2026-04-28T17:23:59.096Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T11:35:06.542Z"}, "title": "WordPress NitroPack plugin <= 1.19.3 - Broken Access Control vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "NitroPack", "product": "NitroPack", "collectionURL": "https://wordpress.org/plugins", "packageName": "nitropack", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "1.19.3", "changes": [{"at": "1.19.4", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in NitroPack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through 1.19.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing Authorization vulnerability in NitroPack allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NitroPack: from n/a through 1.19.3.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "Update the WordPress NitroPack plugin to the latest available version (at least 1.19.4).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress NitroPack plugin to the latest available version (at least 1.19.4)."}]}], "credits": [{"lang": "en", "value": "Steven Julian | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:32:17.172895Z", "id": "CVE-2026-39669", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:23:59.096Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39669", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:59.671Z", "datePublished": "2026-04-08T08:30:38.737Z", "dateUpdated": "2026-04-28T17:23:59.096Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T11:35:06.542Z"}, "title": "WordPress NitroPack plugin <= 1.19.3 - Broken Access Control vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "NitroPack", "product": "NitroPack", "collectionURL": "https://wordpress.org/plugins", "packageName": "nitropack", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "1.19.3", "changes": [{"at": "1.19.4", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in NitroPack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through 1.19.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing Authorization vulnerability in NitroPack allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NitroPack: from n/a through 1.19.3.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "Update the WordPress NitroPack plugin to the latest available version (at least 1.19.4).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress NitroPack plugin to the latest available version (at least 1.19.4)."}]}], "credits": [{"lang": "en", "value": "Steven Julian | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39669", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T18:32:17.172895Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:18:55.814Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in NitroPack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through 1.19.3."}], "id": "CVE-2026-39669", "lastModified": "2026-04-28T19:37:39.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-08T09:16:38.297", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.19.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NitroPack", "source": "cna", "vendor": "NitroPack"}, "product": "nitropack", "vendor": "nitropack"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T16:31:34.551480+00:00", "value": {"mitigation_remediation": ["Upgrade NitroPack to a version newer than 1.19.3.", "Verify that the plugin\u2019s administrative interfaces are protected by authentication.", "If upgrading is not feasible, limit public access to NitroPack configuration URLs through server or firewall rules."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress installations running NitroPack versions up to and including 1.19.3 are affected. All releases from the first available version through 1.19.3 lack the necessary protections. The vulnerability is tied solely to the NitroPack plugin and does not extend beyond it.", "description_and_impact": "The NitroPack plugin for WordPress contains a missing authorization check that permits any web visitor to access privileged configuration functions. This broken access control flaw allows an attacker to read or alter plugin settings, potentially degrading site performance or enabling further attacks. The weakness is classified as CWE-862.", "risk_and_exploitability": "The vulnerability carries a score of 5.3, indicating moderate severity. Exploitation is considered unlikely, with an exploitation probability below 1%, and it is not currently listed in the CISA KEV catalog. The flaw can be reached remotely by sending HTTP requests to NitroPack endpoints that omit authentication checks, requiring no special credentials or additional software."}}}}, "created": "2026-04-08T19:28:03.949568+00:00", "updated": "2026-04-28T16:45:06.158551+00:00", "vendors": ["nitropack", "nitropack$PRODUCT$nitropack", "wordpress", "wordpress$PRODUCT$wordpress"]}