Cyber Resilience

CVE-2024-11848

High

Published: 15 January 2025

Published
15 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0559 90.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11848 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1136.001); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_dismiss_notice_forever AJAX action in all versions up to and including 1.17.0. This flaw, tracked as CVE-2024-11848 with a CVSS score of 8.1 and CWE-862, allows changes to arbitrary site options without proper authorization.

Authenticated attackers with subscriber-level access and above can invoke the affected AJAX endpoint to set targeted options to a fixed value of 1. Depending on the option, this can enable features such as user registration or alter configuration values in a manner that produces a denial-of-service condition.

A fix is available in the WordPress plugin repository via changeset 3211235, and the Wordfence advisory provides additional technical detail on the issue. The EPSS score reached a peak of 0.0703 after disclosure, indicating a measurable increase in exploitation interest from a low baseline.

EU & UK References

Vulnerability details

The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level…

more

access and above, to update arbitrary options to a fixed value of '1' which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Missing authorization on option-update AJAX handler directly enables arbitrary stored configuration changes (T1565.001) that can activate user registration (T1136.001) or produce DoS conditions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41192Shared CWE-862
CVE-2026-34256Shared CWE-862
CVE-2025-0952Shared CWE-862
CVE-2025-24591Shared CWE-862
CVE-2026-27386Shared CWE-862
CVE-2025-11791Shared CWE-862
CVE-2024-12821Shared CWE-862
CVE-2026-34053Shared CWE-862
CVE-2025-59022Shared CWE-862
CVE-2025-13342Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations to prevent unauthorized modification of data due to missing capability checks on the AJAX action.

prevent

Applies least privilege to restrict subscriber-level users from accessing or modifying arbitrary WordPress options.

prevent

Remediates the specific flaw in the NitroPack plugin by identifying, reporting, and patching the missing authorization check.

References