CVE-2024-11851: 
WordPress vulnerability analysis and mitigation

The NitroPack plugin for WordPress (versions up to and including 1.17.0) contains a vulnerability identified as CVE-2024-11851. The vulnerability was discovered by Sean Murphy and disclosed on January 14, 2025. The issue stems from a missing capability check on the nitropackrmlnotification function, which affects the plugin's authorization mechanisms (NVD Database, Wordfence Intel).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (Medium). The vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges. The technical implementation flaw specifically relates to the nitropackrmlnotification function, where the absence of proper capability checks allows for unauthorized transient updates. It's important to note that while arbitrary transients can be updated, they are restricted to integer values only (NVD Database).

The vulnerability allows authenticated attackers with subscriber-level access or higher to perform unauthorized arbitrary transient updates in the WordPress installation. While the impact is somewhat limited by the restriction to integer values only, it still represents a security concern for affected WordPress installations (NVD Database).

A patch has been released to address this vulnerability. Website administrators running affected versions of the NitroPack plugin should update to a version newer than 1.17.0 to mitigate this security risk (WordPress Plugin).