WP Compress – Instant Performance & Speed Optimization <= 6.30.03 - Reflected Cross-Site Scripting via custom_server Parameter

Vulnerability

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) through the custom_server parameter in all versions up to and including 6.30.03 [1]. The vulnerability stems from insufficient input sanitization and output escaping, allowing arbitrary web script injection. Affected versions include all releases prior to the patched version 7.00.08 [1].

Exploitation

An unauthenticated attacker can exploit this flaw by crafting a malicious URL containing a payload in the custom_server parameter. The attack requires user interaction: the victim must be tricked into clicking the crafted link, which triggers the reflected script execution in the context of their browser session [1]. No authentication or special network position is required for the initial injection.

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts into pages generated by the plugin. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of the affected WordPress installation. The attacker operates within the security context of the victim user.

Mitigation

The vendor has released version 7.00.08, which likely addresses the vulnerability; users are strongly advised to update immediately. No workarounds are documented in the available references. No known evidence of exploitation in the wild has been cited.