CVE-2025-2110
Published: 26 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-2110 affects the WP Compress – Instant Performance & Speed Optimization plugin for WordPress, specifically due to missing capability checks on its AJAX functions in all versions up to and including 6.30.15. This vulnerability, classified under CWE-862 (Missing Authorization), enables unauthorized access, modification, and loss of data. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and requirements for low-privilege (Subscriber-level) authentication.
Authenticated attackers with Subscriber-level access or higher can exploit this over the network without user interaction. Depending on the targeted AJAX function, they can retrieve sensitive settings and configuration details, alter or delete them, leading to disclosure of confidential information, disruption of the plugin's functionality, and potential degradation of overall site performance.
Advisories, including the Wordfence threat intelligence report, highlight the need to update the plugin beyond version 6.30.15. The fix is detailed in WordPress plugin changeset 3254259, with vulnerable code visible in the 6.30.15 tag of ajax.class.php; practitioners should review the plugin's developer page for patched releases.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization on public-facing WordPress plugin AJAX endpoints enables exploitation of the web application (T1190) and allows low-privilege authenticated users to perform unauthorized actions equivalent to privilege escalation (T1068).