VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 7 known issues Latest disclosed Feb 18, 2026

NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization Vulnerabilities

Review known vulnerability records for the WordPress plugin NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization (`nitropack`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-39669, CVE-2025-8778 and CVE-2024-11851, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
7
High or Critical
2
Patch Coverage
100%
Last Updated
Apr 25, 2026
Priority CVE Quick Links

Fast paths into NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
6
CVE-2024-11848 High 1.17.6
CVE-2024-11848 NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization Vulnerability

NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

CVE-2024-43922 High 1.16.8
CVE-2024-43922 NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization Vulnerability

NitroPack <= 1.16.7 - Unauthenticated Arbitrary Shortcode Execution

CVE-2026-39669 Medium 1.19.4
CVE-2026-39669 NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization Vulnerability

NitroPack <= 1.19.3 - Missing Authorization

CVE-2025-8778 Medium 1.18.5
CVE-2025-8778 NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization Vulnerability

NitroPack <= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function

CVE-2024-11851 Medium 1.17.6
CVE-2024-11851 NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization Vulnerability

NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update

CVE-2023-52121 Medium 1.10.3
CVE-2023-52121 NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization Cross-Site Request Forgery

NitroPack <= 1.10.2 - Cross-Site Request Forgery

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
7 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 2 high severity findings.
Recent CVEs
CVE-2026-39669, CVE-2025-8778 and CVE-2024-11851
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-39669
CVE-2026-39669: NitroPack <= 1.19.3 - Missing Authorization

The NitroPack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.19.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Feb 18, 2026
Patched Release
1.19.4
Affected Versions
Versions up to 1.19.3
Next Step
Update to 1.19.4 or newer if supported.
Open CVE-2026-39669 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8778
CVE-2025-8778: NitroPack <= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function

The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscrib...

Published
Sep 09, 2025
Patched Release
1.18.5
Affected Versions
Versions up to 1.18.4
Next Step
Update to 1.18.5 or newer if supported.
Open CVE-2025-8778 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-11851
CVE-2024-11851: NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update

The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscrib...

Published
Jan 14, 2025
Patched Release
1.17.6
Affected Versions
Versions up to 1.17.0
Next Step
Update to 1.17.6 or newer if supported.
Open CVE-2024-11851 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-11848
CVE-2024-11848: NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with sub...

Published
Jan 14, 2025
Patched Release
1.17.6
Affected Versions
Versions up to 1.17.0
Next Step
Update to 1.17.6 or newer if supported.
Open CVE-2024-11848 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-43922
CVE-2024-43922: NitroPack <= 1.16.7 - Unauthenticated Arbitrary Shortcode Execution

The The NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.16.7. This is due to the software allowing users to execute a...

Published
Aug 26, 2024
Patched Release
1.16.8
Affected Versions
Versions up to 1.16.7
Next Step
Update to 1.16.8 or newer if supported.
Open CVE-2024-43922 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-52121
CVE-2023-52121: NitroPack <= 1.10.2 - Cross-Site Request Forgery

The NitroPack plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.2. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to invoke them via a forged req...

Published
Dec 28, 2023
Patched Release
1.10.3
Affected Versions
Versions up to 1.10.2
Next Step
Update to 1.10.3 or newer if supported.
Open CVE-2023-52121 Report Open CVE Reference
Plugin Medium Patched: Yes
NitroPack <= 1.9.2 - Missing Authorization via multiple AJAX functions

The NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX function in all ve...

Published
Nov 07, 2023
Patched Release
1.10.0
Affected Versions
Versions before 1.10.0
Next Step
Update to 1.10.0 or newer if supported.
Open Full Report