Description
Cross-Site Request Forgery (CSRF) vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Cross Site Request Forgery.This issue affects WP Compress: from n/a through <= 6.30.30.
Published: 2025-05-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A CSRF flaw in the WP Compress image‑optimizer plugin allows an attacker to forge authenticated requests that the site processes as legitimate. Based on the description, it is inferred that the attacker could invoke any functionality that requires authentication, though the specific actions beyond credential forgery are not explicitly detailed.

Affected Systems

The vulnerability affects WordPress sites that use the WP Compress plugin from any version up to and including 6.30.30, as released by AresIT. All installations of WP Compress within that version range are potentially exposed.

Risk and Exploitability

The CVSS score of 7.1 signals a high impact, while the EPSS value of less than 1% indicates that attacks are unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is web‑based; based on the description it is inferred that the attacker would need to trick an authenticated user into submitting a crafted request or clicking a malicious link to exploit the flaw. This requires the victim to be logged into the WordPress site and can lead to unauthorized actions performed as that user.

Generated by OpenCVE AI on May 2, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Compress to version 6.30.31 or later to remove the CSRF flaw.
  • If an upgrade cannot be performed immediately, temporarily deactivate the WP Compress plugin to eliminate the exposed functionality.
  • Implement or configure a web application firewall to block unexpected or unsigned POST requests during the interim period.

Generated by OpenCVE AI on May 2, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13790 Cross-Site Request Forgery (CSRF) vulnerability in AresIT WP Compress allows Cross Site Request Forgery. This issue affects WP Compress: from n/a through 6.30.30.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in AresIT WP Compress allows Cross Site Request Forgery. This issue affects WP Compress: from n/a through 6.30.30. Cross-Site Request Forgery (CSRF) vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Cross Site Request Forgery.This issue affects WP Compress: from n/a through <= 6.30.30.
Title WordPress WP Compress <= 6.30.30 - Cross Site Request Forgery (CSRF) Vulnerability WordPress WP Compress plugin <= 6.30.30 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0002}

 epss

{'score': 0.00023}

Mon, 12 May 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Wpcompress
Wpcompress wp Compress
CPEs cpe:2.3:a:wpcompress:wp_compress:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpcompress
Wpcompress wp Compress

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in AresIT WP Compress allows Cross Site Request Forgery. This issue affects WP Compress: from n/a through 6.30.30.
Title WordPress WP Compress <= 6.30.30 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpcompress Wp Compress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.551Z

Reserved: 2025-05-07T09:39:53.907Z

Link: CVE-2025-47546

cve-icon Vulnrichment

Updated: 2025-05-07T17:20:22.401Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:11.380

Modified: 2026-04-23T15:30:27.637

Link: CVE-2025-47546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses