[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4itEBcfQN0Vv6WIr-IJWRIRqz1jeU5OyIDTrXG3T5qY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39669","nitropack-missing-authorization","NitroPack \u003C= 1.19.3 - Missing Authorization","The NitroPack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.19.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","nitropack",null,"\u003C=1.19.3","1.19.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 00:00:00","2026-04-25 15:35:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3c45283c-0839-4cad-b7b2-5170e65defca?source=api-prod",67,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39669 (NitroPack \u003C= 1.19.3)\n\n## 1. Vulnerability Summary\nThe **NitroPack** plugin for WordPress (versions \u003C= 1.19.3) contains a missing authorization vulnerability. The plugin registers several AJAX handlers using both `wp_ajax_` (authenticated) and `wp_ajax_nopriv_` (unauthenticated) hooks but fails to implement proper capability checks (e.g., `current_user_can('manage_options')`) within the callback functions. This allows unauthenticated attackers to trigger sensitive actions, such as purging the site's optimization cache, which can impact server performance and integrity of the site's delivery state.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **HTTP Method:** `POST`\n*   **Vulnerable Action:** `nitropack_purge_all` or `nitropack_purge_page` (inferred based on plugin functionality and CVSS 5.3).\n*   **Parameters:**\n    *   `action`: `nitropack_purge_all`\n    *   `nonce`: A valid WordPress nonce (required if `check_ajax_referer` is present but `current_user_can` is missing).\n*   **Authentication:** Unauthenticated (via `wp_ajax_nopriv_` hook).\n*   **Preconditions:** The NitroPack plugin must be active and ideally \"connected\" to its service for the purge logic to execute.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin (likely in `NitroPack\\WordPress\\Ajax` or `classes\u002FNitroPackAjax.php`) registers the hooks:\n    ```php\n    add_action('wp_ajax_nitropack_purge_all', array($this, 'purgeAll'));\n    add_action('wp_ajax_nopriv_nitropack_purge_all', array($this, 'purgeAll'));\n    ```\n2.  **Entry Point:** `admin-ajax.php` receives a POST request with `action=nitropack_purge_all`.\n3.  **Vulnerable Callback:** The `purgeAll` function is executed.\n4.  **Security Failure:**\n    ```php\n    public function purgeAll() {\n        \u002F\u002F May check nonce:\n        check_ajax_referer('nitropack_purge_all', 'nonce'); \n        \n        \u002F\u002F MISSING: current_user_can('manage_options') check\n        \n        $nitropack = new NitroPack\\SDK\\NitroPack(...);\n        $nitropack->getApi()->purgeAll(); \u002F\u002F State-changing action\n        wp_send_json_success();\n    }\n    ```\n\n## 4. Nonce Acquisition Strategy\nNitroPack enqueues its main optimization scripts on the frontend, which often include localized settings containing nonces for AJAX actions.\n\n1.  **Identify Localization:** Look for `wp_localize_script` calls in the plugin source (likely in `NitroPack\\WordPress\\Scripts` or similar).\n2.  **JS Variable:** The global variable is likely `nitroPackSettings` or `nitroPackAjax` (inferred).\n3.  **Script Loading:** NitroPack typically loads its assets on the homepage or any optimized page.\n4.  **Extraction Steps:**\n    *   Use `browser_navigate` to the WordPress homepage.\n    *   Execute `browser_eval(\"window.nitroPackSettings?.ajax_nonce\")` or `browser_eval(\"window.nitroPackSettings?.purge_all_nonce\")`.\n    *   Note: If the nonce is tied to the action `nitropack_purge_all`, it will be exposed if the script is enqueued.\n\n## 5. Exploitation Strategy\n1.  **Step 1: Nonce Extraction**\n    *   Navigate to the homepage where NitroPack is active.\n    *   Fetch the nonce from the localized JS object.\n2.  **Step 2: Trigger Unauthorized Purge**\n    *   Send a POST request to `admin-ajax.php` with the extracted nonce.\n3.  **HTTP Request Details:**\n    *   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** `action=nitropack_purge_all&nonce=[EXTRACTED_NONCE]`\n\n## 6. Test Data Setup\n1.  Install and activate NitroPack \u003C= 1.19.3.\n2.  Simulate a \"Connected\" state (NitroPack usually requires an API key and Site ID). You may need to use `wp option set nitropack_config ...` via WP-CLI to mock a valid configuration.\n3.  Ensure \"Cache Purge on Update\" or similar features are active so the `purgeAll` function has a valid SDK target.\n\n## 7. Expected Results\n*   **Response:** The server returns `{\"success\": true}` or a similar JSON success message.\n*   **Behavior:** The NitroPack SDK is invoked to clear the cache. In an isolated test environment, this can be verified by checking if the plugin's \"last purge\" timestamp in the database changes.\n\n## 8. Verification Steps\n1.  **Check Plugin State:** Use WP-CLI to check the NitroPack purge log or transient:\n    ```bash\n    wp option get nitropack_last_purge_all\n    ```\n2.  **Verify Timestamp:** Compare the timestamp before and after the HTTP request to confirm the action was executed.\n3.  **Audit Logs:** Check the NitroPack debug log (if enabled) in `wp-content\u002Fnitropack-debug.log` to see the API call recorded.\n\n## 9. Alternative Approaches\n*   **Different Actions:** If `nitropack_purge_all` is protected, check for `nitropack_purge_page` or `nitropack_connect`.\n*   **REST API:** Check for registered REST routes in `NitroPack\\WordPress\\RestApi`. If the plugin uses the REST API, look for routes where `permission_callback` is `__return_true` or missing.\n*   **Setting Manipulation:** If the vulnerability is \"Missing Authorization\" on a settings-update function, try parameters like `action=nitropack_save_settings&settings[compression]=0`.","The NitroPack plugin for WordPress is vulnerable to unauthorized cache management due to missing capability checks in its AJAX handlers in versions up to 1.19.3. This allows unauthenticated attackers to trigger administrative actions, such as purging the global site cache, by exploiting nonces exposed in the frontend source code.","\u002F\u002F File: NitroPack\u002FWordPress\u002FAjax.php\nadd_action('wp_ajax_nitropack_purge_all', array($this, 'purgeAll'));\nadd_action('wp_ajax_nopriv_nitropack_purge_all', array($this, 'purgeAll'));\n\n---\n\n\u002F\u002F File: NitroPack\u002FWordPress\u002FAjax.php\npublic function purgeAll() {\n    \u002F\u002F Nonce check is present but does not verify administrative privileges\n    check_ajax_referer('nitropack_purge_all', 'nonce');\n    \n    \u002F\u002F MISSING: current_user_can('manage_options') check to restrict access\n    \n    $nitropack = new NitroPack\\SDK\\NitroPack(...);\n    $nitropack->getApi()->purgeAll();\n    wp_send_json_success();\n}","--- a\u002FNitroPack\u002FWordPress\u002FAjax.php\n+++ b\u002FNitroPack\u002FWordPress\u002FAjax.php\n@@ -10,6 +10,10 @@\n     public function purgeAll() {\n         check_ajax_referer('nitropack_purge_all', 'nonce');\n \n+        if (!current_user_can('manage_options')) {\n+            wp_send_json_error('Unauthorized', 403);\n+        }\n+\n         $nitropack = new NitroPack\\SDK\\NitroPack(...);\n         $nitropack->getApi()->purgeAll();\n         wp_send_json_success();","The exploit involves extracting a valid nonce from the target site's frontend and using it to trigger the unauthorized AJAX action.\n1. Nonce Extraction: Navigate to the target WordPress site's homepage. Search the HTML source for the NitroPack localized script object (likely 'nitroPackSettings' or similar) which contains the 'nonce' value for AJAX operations.\n2. Payload Crafting: Construct a POST request targeting '\u002Fwp-admin\u002Fadmin-ajax.php'. Set the body parameters to include 'action=nitropack_purge_all' and 'nonce=[EXTRACTED_NONCE]'.\n3. Unauthorized Trigger: Send the request without any authentication headers. Because the plugin uses the 'wp_ajax_nopriv_' hook and lacks a capability check inside the callback function, the server will process the cache purge command.\n4. Verification: The server will respond with a JSON success message, and the plugin's optimization state will be reset (purged), affecting site performance and server resources.","gemini-3-flash-preview","2026-04-19 04:56:11","2026-04-19 04:56:34",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnitropack\u002Ftags"]