CVE-2024-11848
Published: 15 January 2025
Summary
CVE-2024-11848 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1136.001); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_dismiss_notice_forever AJAX action in all versions up to and including 1.17.0. This flaw, tracked as CVE-2024-11848 with a CVSS score of 8.1 and CWE-862, allows changes to arbitrary site options without proper authorization.
Authenticated attackers with subscriber-level access and above can invoke the affected AJAX endpoint to set targeted options to a fixed value of 1. Depending on the option, this can enable features such as user registration or alter configuration values in a manner that produces a denial-of-service condition.
A fix is available in the WordPress plugin repository via changeset 3211235, and the Wordfence advisory provides additional technical detail on the issue. The EPSS score reached a peak of 0.0703 after disclosure, indicating a measurable increase in exploitation interest from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34380
Vulnerability details
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level…
more
access and above, to update arbitrary options to a fixed value of '1' which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on option-update AJAX handler directly enables arbitrary stored configuration changes (T1565.001) that can activate user registration (T1136.001) or produce DoS conditions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations to prevent unauthorized modification of data due to missing capability checks on the AJAX action.
Applies least privilege to restrict subscriber-level users from accessing or modifying arbitrary WordPress options.
Remediates the specific flaw in the NitroPack plugin by identifying, reporting, and patching the missing authorization check.