Cyber Resilience

CVE-2025-2110

High

Published: 26 March 2025

Published
26 March 2025
Modified
11 August 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2110 is a high-severity Missing Authorization (CWE-862) vulnerability in Wpcompress Wp Compress. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-2110 affects the WP Compress – Instant Performance & Speed Optimization plugin for WordPress, specifically due to missing capability checks on its AJAX functions in all versions up to and including 6.30.15. This vulnerability, classified under CWE-862 (Missing Authorization), enables unauthorized access, modification, and loss of data. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and requirements for low-privilege (Subscriber-level) authentication.

Authenticated attackers with Subscriber-level access or higher can exploit this over the network without user interaction. Depending on the targeted AJAX function, they can retrieve sensitive settings and configuration details, alter or delete them, leading to disclosure of confidential information, disruption of the plugin's functionality, and potential degradation of overall site performance.

Advisories, including the Wordfence threat intelligence report, highlight the need to update the plugin beyond version 6.30.15. The fix is detailed in WordPress plugin changeset 3254259, with vulnerable code visible in the 6.30.15 tag of ajax.class.php; practitioners should review the plugin's developer page for patched releases.

EU & UK References

Vulnerability details

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including,…

more

6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration details, or by altering and deleting them, thereby disclosing sensitive information, disrupting the plugin’s functionality, and potentially impacting overall site performance.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization on public-facing WordPress plugin AJAX endpoints enables exploitation of the web application (T1190) and allows low-privilege authenticated users to perform unauthorized actions equivalent to privilege escalation (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4100Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862
CVE-2025-27270Shared CWE-862
CVE-2026-6510Shared CWE-862
CVE-2026-0974Shared CWE-862

Affected Assets

wpcompress
wp compress
≤ 6.30.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on AJAX functions to prevent unauthorized access, modification, and deletion by low-privilege authenticated users like subscribers.

prevent

Remediates the missing capability checks by requiring timely installation of the plugin patch in versions beyond 6.30.15.

prevent

Limits subscriber-level users to only necessary privileges, reducing the impact of exploited AJAX functions lacking authorization enforcement.

References