Description
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration details, or by altering and deleting them, thereby disclosing sensitive information, disrupting the plugin’s functionality, and potentially impacting overall site performance.
Published: 2025-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access and Modification
Action: Immediate Patch
AI Analysis

Impact

The WordPress plugin WP Compress has missing capability checks on its AJAX functions in all versions up to and including 6.30.15. Authenticated users with Subscriber level or higher can call these endpoints without proper authorization, allowing them to retrieve, change, or delete plugin configuration and settings. This can expose sensitive information, disrupt the plugin’s operation, degrade site performance, and compromise overall site integrity. The weakness is a missing authorization check, identified as CWE-862.

Affected Systems

All installations of the aresit WP Compress – Instant Performance & Speed Optimization plugin, in versions 6.30.15 and earlier, on WordPress sites are affected. No specific WordPress core version is mentioned, so any site running the vulnerable plugin regardless of core version is susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, marking it as high severity. EPSS indicates an exploitation probability of less than 1%, suggesting that real‑world attacks have been scarce so far, yet the requirement of only Subscriber‑level authentication makes it an attractive target. The attack vector is through the web, exploiting AJAX endpoints accessible over HTTP; no elevation of privileges or local code execution is needed. The flaw is not currently listed in the CISA KEV catalog, but the missing authorization remains a serious risk for future exploitation.

Generated by OpenCVE AI on April 28, 2026 at 03:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Compress to version 6.30.16 or later, where the missing authorization checks have been corrected.
  • If an upgrade cannot be applied immediately, block or disable the relevant AJAX URLs for Subscriber and higher roles using a web‑server or firewall rule, or temporarily deactivate the plugin until the patch is applied.
  • Audit and tighten user roles so that only trusted administrators have access to the plugin’s AJAX endpoints, and review plugin settings to ensure sensitive configuration options are not exposed via AJAX.

Generated by OpenCVE AI on April 28, 2026 at 03:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8121 The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration details, or by altering and deleting them, thereby disclosing sensitive information, disrupting the plugin’s functionality, and potentially impacting overall site performance.
History

Mon, 11 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpcompress
Wpcompress wp Compress
CPEs cpe:2.3:a:wpcompress:wp_compress:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpcompress
Wpcompress wp Compress

Wed, 26 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration details, or by altering and deleting them, thereby disclosing sensitive information, disrupting the plugin’s functionality, and potentially impacting overall site performance.
Title WP Compress <= 6.30.15 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wpcompress Wp Compress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:43.207Z

Reserved: 2025-03-07T21:55:58.098Z

Link: CVE-2025-2110

cve-icon Vulnrichment

Updated: 2025-03-26T13:37:31.871Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T12:15:15.827

Modified: 2025-08-11T18:02:44.917

Link: CVE-2025-2110

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:30:19Z

Weaknesses