AresIT WP Compress plugin for WordPress contains a missing authorization control that permits unauthorized users to access privileged functionality within the plugin. The flaw is a classic example of CWE‑862: Missing Authorization. The impact is that an attacker could view or modify image‑compression settings and other protected plugin resources, potentially enabling further privilege escalation on the site. Although the description does not detail all consequences, it is clear that confidentiality and integrity of plugin configuration may be compromised.

The vulnerability affects the WP Compress image optimizer plugin from its earliest release through version 6.60.28. Any WordPress installation hosting one of these versions is at risk. The vendor is AresIT and the product is WP Compress.

CVSS v3 base score of 5.3 indicates moderate severity. The EPSS score of less than 1% shows the likelihood of exploitation is very low at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‑based, inferred from the nature of the plugin and the absence of an authentication requirement in the description. An attacker can exploit the flaw by interacting with the plugin’s administration interface or by crafting requests that bypass the missing permission checks. Based on the description, it is inferred that the exploitation does not require prior authentication, allowing an unauthenticated user to gain unauthorized access to privileged plugin functionality.