WP Compress <= 6.30.15 - Unauthenticated Server-Side Request Forgery via init Function

Vulnerability

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to, and including, 6.30.15. The flaw resides in the init() function, which processes user-supplied input to make web requests to arbitrary locations without proper validation or restriction. This condition makes the code path reachable by any unauthenticated visitor. [1]

Exploitation

An unauthenticated attacker can trigger the vulnerability by sending a crafted request to the vulnerable endpoint that invokes the init() function. The attacker specifies a target URL (e.g., an internal service like http://localhost or http://192.168.x.x) as part of the request parameters. The plugin then makes an HTTP request from the web server’s context to that arbitrary location. No special privileges, user interaction, or network position other than standard web access is required. [1]

Impact

Successful exploitation allows an attacker to perform Server-Side Request Forgery, enabling them to make HTTP requests from the vulnerable WordPress server to any internal or external destination. This can be used to probe and potentially interact with internal services (e.g., cloud metadata endpoints, databases, or other containerized services) that are not intended to be exposed externally. The attacker can leverage this to gather sensitive information or prepare further attacks. [1]

Mitigation

The plugin vendor has released version 7.00.08 (last updated 2026-04-15), which presumably addresses this vulnerability. Users should update immediately to the latest version. No workarounds are provided in the available references. For installations where updating is not possible, consider restricting outbound HTTP requests from the web server via firewall rules or disabling the plugin. [1]