WordPress Plugin Vulnerabilities

WP Compress < 6.30.31 - Unauthenticated Broken Authentication

Description

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to broken authentication in all versions up to, and including, 6.30.30. This makes it possible for unauthenticated attackers to access functionality they should not have access to.

Affects Plugins

Plugin icon
wp-compress-image-optimizer
Fixed in 6.30.31

References

CVE
CVE-2025-47479
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/facb9fd5-86e7-4dc1-affc-eae7aeae5631

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
7.3 (high)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
01a4191e-ec56-4fa8-b5b2-82153275398b

Timeline

Publicly Published
2025-07-03 (about 10 months ago)
Added
2025-07-08 (about 10 months ago)
Last Updated
2025-07-08 (about 10 months ago)

Other

Published
Title
Published
2026-03-17
Title
KiviCare – Clinic & Patient Management System (EHR) < 4.1.3 - Unauthenticated Authentication Bypass via Social Login Token
Published
2026-02-23
Title
WeDesignTech Ultimate Booking Addon <= 1.0.1 - Authentication Bypass
Published
2015-03-04
Title
Dignitas 1.1.9 - Privilage Escalation
Published
2024-10-11
Title
Bot for Telegram on WooCommerce <= 1.2.7 - Subscriber+ Authentication Bypass
Published
2025-02-11
Title
Customer Email Verification for WooCommerce < 2.9.6 - Authentication Bypass via Shortcode