WordPress Plugin Vulnerabilities

WP Compress < 6.30.31 - Cross-Site Request Forgery

Description

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.30.30. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wp-compress-image-optimizer
Fixed in 6.30.31

References

CVE
CVE-2025-47546
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e68a3487-4436-4c44-9833-689c86a08bc8

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Snurkeburk, SashaRyba
Verified
No
WPVDB ID
4b29ff16-613b-4603-a45c-999468c9f4b8

Timeline

Publicly Published
2025-05-07 (about 1 year ago)
Added
2025-05-13 (about 1 year ago)
Last Updated
2025-05-13 (about 1 year ago)

Other

Published
Title
Published
2025-04-07
Title
WPFront User Role Editor < 4.2.2 - Cross-Site Request Forgery to Privilege Escalation via whitelist_options Function
Published
2025-07-16
Title
WooCommerce Google Sheet Connector < 1.4.0 - Cross-Site Request Forgery
Published
2025-01-16
Title
W3SPEEDSTER <= 7.33 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-11-01
Title
Funnelforms Free < 3.4.2 - Cross-Site Request Forgery to Arbitrary Post Deletion
Published
2025-04-17
Title
RSS Manager <= 0.06 - Cross-Site Request Forgery to Stored Cross-Site Scripting