CVE-2025-8778
📋 TL;DR
The NitroPack WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to modify plugin compression settings. This occurs because the nitropack_set_compression_ajax() function lacks proper capability checks. All WordPress sites using NitroPack version 1.18.4 or earlier are affected.
💻 Affected Systems
- NitroPack WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could disable compression settings, potentially degrading site performance or causing compatibility issues, though no direct data loss or code execution occurs.
Likely Case
Malicious users with basic accounts could tamper with compression settings, affecting site performance optimization without causing major damage.
If Mitigated
With proper user role management and plugin updates, impact is minimal as this doesn't allow privilege escalation or data access.
🎯 Exploit Status
Requires authenticated access but only basic Subscriber privileges. Exploitation involves sending crafted AJAX requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.18.5 or later
Vendor Advisory: https://wordpress.org/plugins/nitropack/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find NitroPack and click 'Update Now'. 4. Verify version is 1.18.5 or higher.
🔧 Temporary Workarounds
Disable User Registration
allPrevent new user accounts from being created to limit potential attackers.
In WordPress Settings → General, uncheck 'Anyone can register'
Remove NitroPack Plugin
allTemporarily disable the plugin until patched.
In WordPress admin: Plugins → Installed Plugins → NitroPack → Deactivate
🧯 If You Can't Patch
- Restrict user registration to prevent new Subscriber accounts
- Audit existing user accounts and remove any suspicious or unnecessary Subscriber-level users
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → NitroPack version. If version is 1.18.4 or lower, you are vulnerable.Check Version:
wp plugin list --name=nitropack --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify NitroPack version shows 1.18.5 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to /wp-admin/admin-ajax.php with action=nitropack_set_compression
- Multiple compression setting changes from non-admin users
Network Indicators:
- POST requests to admin-ajax.php with nitropack_set_compression parameter from non-admin IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "nitropack_set_compression" AND NOT user_role="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/nitropack/trunk/functions.php#L2907
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3354452%40nitropack&new=3354452%40nitropack&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/nitropack/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/750f35ce-0f1c-4a12-a7a0-2c217de277fd?source=cve
