{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39669", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:59.671Z", "datePublished": "2026-04-08T08:30:38.737Z", "dateUpdated": "2026-04-13T19:27:18.269Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "nitropack", "product": "NitroPack", "vendor": "NitroPack", "versions": [{"lessThanOrEqual": "1.19.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:42.689Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NitroPack: from n/a through <= 1.19.3.</p>"}], "value": "Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:38.737Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress NitroPack plugin <= 1.19.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:32:17.172895Z", "id": "CVE-2026-39669", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T19:27:18.269Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39669", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T18:32:17.172895Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:18:55.814Z"}}], "cna": {"title": "WordPress NitroPack plugin <= 1.19.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "NitroPack", "product": "NitroPack", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.19.3"}], "packageName": "nitropack", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:42.689Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NitroPack: from n/a through <= 1.19.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:38.737Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39669", "state": "PUBLISHED", "dateUpdated": "2026-04-13T19:27:18.269Z", "dateReserved": "2026-04-07T10:57:59.671Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:38.737Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3."}], "id": "CVE-2026-39669", "lastModified": "2026-04-13T19:16:48.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:38.297", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/nitropack/vulnerability/wordpress-nitropack-plugin-1-19-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.19.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NitroPack", "source": "cna", "vendor": "NitroPack"}, "product": "nitropack", "vendor": "nitropack"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T21:47:29.243437+00:00", "value": {"mitigation_remediation": ["Upgrade NitroPack to a version newer than 1.19.3.", "Verify that the plugin\u2019s administrative interfaces are protected by authentication.", "If upgrading is not feasible, limit public access to NitroPack configuration URLs through server or firewall rules."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress installations running NitroPack versions up to and including 1.19.3 are affected. All releases from the first available version through 1.19.3 lack the necessary protections. The vulnerability is tied solely to the NitroPack plugin and does not extend beyond it.", "description_and_impact": "The NitroPack plugin for WordPress contains a missing authorization check that permits any web visitor to access privileged configuration functions. This broken access control flaw allows an attacker to read or alter plugin settings, potentially degrading site performance or enabling further attacks. The weakness is classified as CWE-862.", "risk_and_exploitability": "The vulnerability carries a score of 5.3, indicating moderate severity. Exploitation is considered unlikely, with an exploitation probability below 1%, and it is not currently listed in the CISA KEV catalog. The flaw can be reached remotely by sending HTTP requests to NitroPack endpoints that omit authentication checks, requiring no special credentials or additional software."}}}}, "created": "2026-04-08T19:28:03.949568+00:00", "updated": "2026-04-14T16:38:42.565133+00:00", "vendors": ["nitropack", "nitropack$PRODUCT$nitropack", "wordpress", "wordpress$PRODUCT$wordpress"]}