Compress <= 6.60.28 - Missing Authorization
Description
The Compress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.60.28. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=6.60.28What Changed in the Fix
Changes introduced in v6.60.29
Source Code
WordPress.org SVN# Research Plan: CVE-2026-25370 - Missing Authorization in WP Compress ## Vulnerability Summary The **WP Compress – Instant Performance & Speed Optimization** plugin (versions <= 6.60.28) is vulnerable to missing authorization. The plugin registers several AJAX actions that are intended for adminis…
Show full research plan
Research Plan: CVE-2026-25370 - Missing Authorization in WP Compress
Vulnerability Summary
The WP Compress – Instant Performance & Speed Optimization plugin (versions <= 6.60.28) is vulnerable to missing authorization. The plugin registers several AJAX actions that are intended for administrative use but fails to perform sufficient capability checks within the handler functions. Specifically, the wps_ic_ajax class registers many actions using a helper method add_ajax, which (based on the behavior and description) likely registers both wp_ajax_ (authenticated) and wp_ajax_nopriv_ (unauthenticated) hooks. Because the plugin relies on a global is_admin() check in its constructor that is always true during admin-ajax.php requests, sensitive actions like cache purging are exposed to unauthenticated users.
Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wps_ic_purge_cdnorwps_ic_purge_html - Method: POST or GET (usually POST for AJAX)
- Parameters:
action=wps_ic_purge_cdn - Authentication: None Required (PR:N)
- Preconditions: The plugin must be active and ideally configured with an API key (to pass the
!empty(parent::$api_key)check in theis_admin()block of `classes/ajax.class
Summary
The WP Compress plugin for WordPress fails to perform authorization checks and nonce verification on several AJAX actions, such as cache purging and CDN management. This allows unauthenticated attackers to trigger sensitive administrative actions by sending requests to the admin-ajax.php endpoint.
Vulnerable Code
// classes/ajax.class.php @ line 38 public function __construct() { self::$Requests = new wps_ic_requests(); if (is_admin()) { // ... (truncated) if (!empty(parent::$api_key)) { // ... (truncated) $this->add_ajax('wps_ic_purge_cdn'); $this->add_ajax('wps_ic_purge_html'); $this->add_ajax('wps_ic_purge_critical_css'); // ... (truncated) } } else { $this->add_ajax('wpc_ic_set_mode'); $this->add_ajax('wpc_send_critical_remote'); $this->add_ajax_nopriv('wpc_send_critical_remote'); $this->add_ajax('wps_ic_purge_html'); $this->add_ajax('wps_ic_purge_cdn'); // ... (truncated) } }
Security Fix
@@ -387,51 +387,6 @@ } - public function wpc_ic_setupCFOld() - { - if (!current_user_can('manage_wpc_settings') || !wp_verify_nonce($_POST['wps_ic_nonce'], 'wps_ic_nonce_action')) { - wp_send_json_error('Forbidden.'); - } - - $token = sanitize_text_field($_POST['token']); - $zoneInput = sanitize_text_field($_POST['zone']); - - $cfapi = new WPC_CloudflareAPI($token); - $whitelist = $cfapi->whitelistIPs($zoneInput); - - // TODO: Add functions - $cf = get_option(WPS_IC_CF); - // Static Assets & Edge Cache - $cfapi->updateWPCCacheConfig($zoneInput, 1, 'all'); - // CF Real Time CDN - $dns_result = $cfapi->addCfCname($zoneInput); - - // set custom cname - $cf['custom_cname'] = $cfapi->getCfCname(); - $cfCname = $cfapi->getCfCname(); - $cf['settings'] = ['assets' => '1', 'edge-cache' => 'all', 'cdn' => '1']; - update_option(WPS_IC_CF_CNAME, $cfCname); - update_option(WPS_IC_CF, $cf); - - // TODO Save Cname into API - $requests = new wps_ic_requests(); - $options = get_option(WPS_IC_OPTIONS); - $apikey = $options['api_key']; - $requests->GET(WPS_IC_KEYSURL, ['action' => 'cloudflare_setCname', 'apikey' => $apikey, 'cname' => $cfapi->getCfCname(), 'time' => microtime(true)]); - - self::$options = get_option(WPS_IC_SETTINGS); - self::$options['cf'] = $cf['settings']; - $cfCname = $cfapi->getCfCname(); - update_option(WPS_IC_CF_CNAME, $cfCname); - update_option(WPS_IC_SETTINGS, self::$options); - - if (is_wp_error($whitelist)) { - wp_send_json_error($whitelist->get_error_message()); - } - - wp_send_json_success('whitelisted-successfully'); - } - public function wpc_send_critical_remote()
Exploit Outline
The exploit targets the WordPress AJAX endpoint to perform unauthorized actions. 1. An unauthenticated attacker identifies a site using a vulnerable version of WP Compress. 2. The attacker sends a POST or GET request to `/wp-admin/admin-ajax.php`. 3. The request includes an `action` parameter corresponding to one of the unprotected actions, such as `wps_ic_purge_cdn` or `wps_ic_purge_html`. 4. Because the plugin relies on `is_admin()` (which is true for AJAX requests) and fails to include internal `current_user_can()` checks or nonce validation for these actions, the plugin processes the request as if it originated from an authorized administrator, leading to unauthorized cache purging or other administrative side-effects.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.