CVE-2024-11848

Name of the Vulnerable Software and Affected Versions NitroPack plugin for WordPress versions prior to 1.17.1

Description The issue is related to a missing capability check on the 'nitropack dismiss notice forever' AJAX action. This allows authenticated attackers with subscriber-level access and above to update arbitrary options to a fixed value of '1', potentially activating certain options, such as enabling user registration, or modifying options in a way that leads to a denial of service condition.

Recommendations For versions prior to 1.17.1, update to version 1.17.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'nitropack dismiss notice forever' AJAX action to prevent exploitation until a patch is applied.