[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGL-iGgoe3L8uqMyXT_gVrQNJ5P-bBnUSVe9ush90a4k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-25370","compress-missing-authorization","Compress \u003C= 6.60.28 - Missing Authorization","The Compress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.60.28. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-compress-image-optimizer",null,"\u003C=6.60.28","6.60.29","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-17 00:00:00","2026-02-24 19:24:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb8aa8208-e897-4c08-9253-76bbe159bee8?source=api-prod",8,[22,23,24,25,26,27,28,29],"addons\u002Fcdn\u002FrewriteLogic.php","addons\u002Fcf-sdk\u002Fcf-sdk.php","addons\u002Flegacy\u002Fcompress.php","classes\u002Fajax.class.php","classes\u002Fcname.class.php","defines.php","readme.txt","templates\u002Fadmin\u002Fadvanced_settings_v4.php","researched",false,3,"# Research Plan: CVE-2026-25370 - Missing Authorization in WP Compress\n\n## Vulnerability Summary\nThe **WP Compress – Instant Performance & Speed Optimization** plugin (versions \u003C= 6.60.28) is vulnerable to missing authorization. The plugin registers several AJAX actions that are intended for administrative use but fails to perform sufficient capability checks within the handler functions. Specifically, the `wps_ic_ajax` class registers many actions using a helper method `add_ajax`, which (based on the behavior and description) likely registers both `wp_ajax_` (authenticated) and `wp_ajax_nopriv_` (unauthenticated) hooks. Because the plugin relies on a global `is_admin()` check in its constructor that is always true during `admin-ajax.php` requests, sensitive actions like cache purging are exposed to unauthenticated users.\n\n## Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wps_ic_purge_cdn` or `wps_ic_purge_html`\n- **Method**: POST or GET (usually POST for AJAX)\n- **Parameters**: `action=wps_ic_purge_cdn`\n- **Authentication**: None Required (PR:N)\n- **Preconditions**: The plugin must be active and ideally configured with an API key (to pass the `!empty(parent::$api_key)` check in the `is_admin()` block of `classes\u002Fajax.class","The WP Compress plugin for WordPress fails to perform authorization checks and nonce verification on several AJAX actions, such as cache purging and CDN management. This allows unauthenticated attackers to trigger sensitive administrative actions by sending requests to the admin-ajax.php endpoint.","\u002F\u002F classes\u002Fajax.class.php @ line 38\npublic function __construct()\n{\n self::$Requests = new wps_ic_requests();\n\n if (is_admin()) {\n \u002F\u002F ... (truncated)\n if (!empty(parent::$api_key)) {\n \u002F\u002F ... (truncated)\n $this->add_ajax('wps_ic_purge_cdn');\n $this->add_ajax('wps_ic_purge_html');\n $this->add_ajax('wps_ic_purge_critical_css');\n \u002F\u002F ... (truncated)\n }\n } else {\n $this->add_ajax('wpc_ic_set_mode');\n $this->add_ajax('wpc_send_critical_remote');\n $this->add_ajax_nopriv('wpc_send_critical_remote');\n $this->add_ajax('wps_ic_purge_html');\n $this->add_ajax('wps_ic_purge_cdn');\n \u002F\u002F ... (truncated)\n }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-compress-image-optimizer\u002F6.60.28\u002Fclasses\u002Fajax.class.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-compress-image-optimizer\u002F6.60.29\u002Fclasses\u002Fajax.class.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-compress-image-optimizer\u002F6.60.28\u002Fclasses\u002Fajax.class.php\t2026-01-24 08:48:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-compress-image-optimizer\u002F6.60.29\u002Fclasses\u002Fajax.class.php\t2026-01-28 10:25:10.000000000 +0000\n@@ -387,51 +387,6 @@\n }\n \n \n- public function wpc_ic_setupCFOld()\n- {\n- if (!current_user_can('manage_wpc_settings') || !wp_verify_nonce($_POST['wps_ic_nonce'], 'wps_ic_nonce_action')) {\n- wp_send_json_error('Forbidden.');\n- }\n-\n- $token = sanitize_text_field($_POST['token']);\n- $zoneInput = sanitize_text_field($_POST['zone']);\n-\n- $cfapi = new WPC_CloudflareAPI($token);\n- $whitelist = $cfapi->whitelistIPs($zoneInput);\n-\n- \u002F\u002F TODO: Add functions\n- $cf = get_option(WPS_IC_CF);\n- \u002F\u002F Static Assets & Edge Cache\n- $cfapi->updateWPCCacheConfig($zoneInput, 1, 'all');\n- \u002F\u002F CF Real Time CDN\n- $dns_result = $cfapi->addCfCname($zoneInput);\n-\n- \u002F\u002F set custom cname\n- $cf['custom_cname'] = $cfapi->getCfCname();\n- $cfCname = $cfapi->getCfCname();\n- $cf['settings'] = ['assets' => '1', 'edge-cache' => 'all', 'cdn' => '1'];\n-\t update_option(WPS_IC_CF_CNAME, $cfCname);\n- update_option(WPS_IC_CF, $cf);\n-\n- \u002F\u002F TODO Save Cname into API\n- $requests = new wps_ic_requests();\n- $options = get_option(WPS_IC_OPTIONS);\n- $apikey = $options['api_key'];\n- $requests->GET(WPS_IC_KEYSURL, ['action' => 'cloudflare_setCname', 'apikey' => $apikey, 'cname' => $cfapi->getCfCname(), 'time' => microtime(true)]);\n-\n- self::$options = get_option(WPS_IC_SETTINGS);\n- self::$options['cf'] = $cf['settings'];\n- $cfCname = $cfapi->getCfCname();\n-\t update_option(WPS_IC_CF_CNAME, $cfCname);\n- update_option(WPS_IC_SETTINGS, self::$options);\n-\n- if (is_wp_error($whitelist)) {\n- wp_send_json_error($whitelist->get_error_message());\n- }\n-\n- wp_send_json_success('whitelisted-successfully');\n- }\n-\n public function wpc_send_critical_remote()","The exploit targets the WordPress AJAX endpoint to perform unauthorized actions. \n\n1. An unauthenticated attacker identifies a site using a vulnerable version of WP Compress.\n2. The attacker sends a POST or GET request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n3. The request includes an `action` parameter corresponding to one of the unprotected actions, such as `wps_ic_purge_cdn` or `wps_ic_purge_html`.\n4. Because the plugin relies on `is_admin()` (which is true for AJAX requests) and fails to include internal `current_user_can()` checks or nonce validation for these actions, the plugin processes the request as if it originated from an authorized administrator, leading to unauthorized cache purging or other administrative side-effects.","gemini-3-flash-preview","2026-04-20 21:16:30","2026-04-20 21:17:18",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.60.28","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-compress-image-optimizer\u002Ftags\u002F6.60.28","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-compress-image-optimizer.6.60.28.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-compress-image-optimizer\u002Ftags\u002F6.60.29","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-compress-image-optimizer.6.60.29.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-compress-image-optimizer\u002Ftags"]