Description
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
Published: 2025-03-25
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via internal requests
Action: Apply Patch
AI Analysis

Impact

The WP Compress – Instant Performance & Speed Optimization plugin contains a Server‑Side Request Forgery flaw in its init() function. This flaw allows an unauthenticated remote user to cause the plugin to send arbitrary HTTP or HTTPS requests from the host on which the WordPress site is running. As a result an attacker can probe internal network services, retrieve configuration data, or access resources that are otherwise unreachable from the Internet.

Affected Systems

Any installation of the WP Compress plugin version 6.30.15 or older is affected. The vulnerability has been identified in the plugin released by aresit for WordPress and applies to all WordPress sites that have not updated past that version.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity, and the EPSS score of less than 1% points to a low likelihood of exploitation. The vulnerability is not catalogued in CISA’s KEV list, suggesting no widespread exploitation has been reported. Attackers would need network access to the WordPress server and no authentication; once accessed, they could craft SSRF requests to internal or privileged endpoints to gather sensitive information.

Generated by OpenCVE AI on April 22, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Compress to a version newer than 6.30.15
  • If immediate upgrade is not possible, block the plugin’s outbound network traffic using a firewall or network segmentation to prevent it from contacting internal services
  • Configure a web application firewall to flag or block SSRF‑related requests, such as attempts to reach localhost, 127.0.0.1, or private IP ranges

Generated by OpenCVE AI on April 22, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8078 The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
History

Mon, 11 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpcompress
Wpcompress wp Compress
CPEs cpe:2.3:a:wpcompress:wp_compress:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpcompress
Wpcompress wp Compress

Mon, 31 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Mar 2025 11:15:00 +0000

Type Values Removed Values Added
Description The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
Title WP Compress <= 6.30.15 - Unauthenticated Server-Side Request Forgery via init Function
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Wpcompress Wp Compress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:06.680Z

Reserved: 2025-03-07T21:15:53.865Z

Link: CVE-2025-2109

cve-icon Vulnrichment

Updated: 2025-03-31T16:17:59.364Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-25T11:15:36.333

Modified: 2025-08-11T18:03:48.423

Link: CVE-2025-2109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses