CVE-2025-2110
Published: 26 March 2025
Summary
CVE-2025-2110 is a high-severity Missing Authorization (CWE-862) vulnerability in Wpcompress Wp Compress. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-2110 affects the WP Compress – Instant Performance & Speed Optimization plugin for WordPress, specifically due to missing capability checks on its AJAX functions in all versions up to and including 6.30.15. This vulnerability, classified under CWE-862 (Missing Authorization), enables unauthorized access, modification, and loss of data. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and requirements for low-privilege (Subscriber-level) authentication.
Authenticated attackers with Subscriber-level access or higher can exploit this over the network without user interaction. Depending on the targeted AJAX function, they can retrieve sensitive settings and configuration details, alter or delete them, leading to disclosure of confidential information, disruption of the plugin's functionality, and potential degradation of overall site performance.
Advisories, including the Wordfence threat intelligence report, highlight the need to update the plugin beyond version 6.30.15. The fix is detailed in WordPress plugin changeset 3254259, with vulnerable code visible in the 6.30.15 tag of ajax.class.php; practitioners should review the plugin's developer page for patched releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8121
Vulnerability details
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including,…
more
6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration details, or by altering and deleting them, thereby disclosing sensitive information, disrupting the plugin’s functionality, and potentially impacting overall site performance.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on public-facing WordPress plugin AJAX endpoints enables exploitation of the web application (T1190) and allows low-privilege authenticated users to perform unauthorized actions equivalent to privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations on AJAX functions to prevent unauthorized access, modification, and deletion by low-privilege authenticated users like subscribers.
Remediates the missing capability checks by requiring timely installation of the plugin patch in versions beyond 6.30.15.
Limits subscriber-level users to only necessary privileges, reducing the impact of exploited AJAX functions lacking authorization enforcement.