CVE-2026-39669

What is the vulnerability?

The NitroPack WordPress plugin versions through 1.19.3 suffer from a Missing Authorization vulnerability [1]. This is a broken access control issue where the plugin fails to properly enforce access restrictions, allowing users without proper permissions to perform actions that should be restricted to higher-privileged roles.

How is it exploited?

The vulnerability can be exploited by an unprivileged user who is already authenticated in WordPress. By sending a crafted request, the attacker can trigger a function that normally requires higher privileges, thereby bypassing access controls [1]. The attack does not require any special network position, as the plugin is commonly used on public-facing websites.

Impact

Successful exploitation enables an attacker to execute higher-privileged actions, potentially leading to site compromise, data modification, or privilege escalation. The reference notes that vulnerabilities like this are frequently used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 1.19.4, which fixes the missing authorization issue [1]. Users running NitroPack below this version should update immediately. Patchstack also recommends enabling auto-updates for vulnerable plugins [1].