CVE-2025-2110
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration details, or by altering and deleting them, thereby disclosing sensitive information, disrupting the plugin’s functionality, and potentially impacting overall site performance.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| aresit | WP Compress – Instant Performance & Speed Optimization | 0 <= 6.30.15 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2bb4ead4-b2ad-42b4-92a0-fb7293f6df06?source=cve
- https://plugins.trac.wordpress.org/browser/wp-compress-image-optimizer/tags/6.30.15/classes/ajax.class.php
- https://wordpress.org/plugins/wp-compress-image-optimizer/#developers
- https://plugins.trac.wordpress.org/changeset/3254259/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.