CVE-2025-2109 in WP Compress Plugin
Summary
by MITRE • 03/25/2025
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/12/2025
The WP Compress – Instant Performance & Speed Optimization plugin presents a critical server-side request forgery vulnerability that affects all versions up to and including 6.30.15. This vulnerability resides within the plugin's init() function and represents a significant security weakness that can be exploited by unauthenticated attackers to perform unauthorized web requests from the target web application. The flaw allows malicious actors to leverage the plugin's functionality to communicate with internal services that would normally be protected from external access, effectively bypassing network segmentation controls and exposing internal resources to potential exploitation.
The technical nature of this vulnerability aligns with CWE-918, which specifically addresses server-side request forgery flaws that enable attackers to manipulate the target application into making unintended requests to internal systems. This particular implementation allows attackers to specify arbitrary URLs that the web application will attempt to access, potentially exposing sensitive internal services, databases, or other network resources that are not directly accessible from the internet. The vulnerability's impact is amplified by the fact that it requires no authentication to exploit, making it particularly dangerous in environments where WordPress installations serve as entry points to broader network infrastructures.
Operationally, this vulnerability creates a substantial risk for WordPress installations that rely on the affected plugin, as it enables attackers to perform reconnaissance activities against internal networks, potentially mapping service configurations and identifying vulnerable internal systems. The attack vector allows for information disclosure through requests to internal services that may contain sensitive data, and could potentially facilitate further exploitation if internal systems are misconfigured or contain additional vulnerabilities. The implications extend beyond simple data exposure, as this vulnerability could serve as a stepping stone for attackers to establish persistence or escalate privileges within the affected network environment.
Organizations should immediately implement mitigations including patching to the latest available version of the plugin, which should address the server-side request forgery vulnerability through proper input validation and URL sanitization. Network segmentation controls should be reviewed to limit access to internal services from web-facing applications, and firewall rules should be implemented to prevent outbound connections from the web server to internal networks. Additionally, monitoring should be enhanced to detect unusual outbound network requests from the WordPress installation, which could indicate exploitation attempts. Security teams should also consider implementing web application firewalls to filter potentially malicious requests and conduct thorough network scans to identify any internal systems that may have been compromised through this vulnerability. This remediation approach aligns with ATT&CK technique T1071.004 for application layer protocol evasion and T1566 for credential access through network service exploitation, ensuring comprehensive protection against the identified threat vector.