WP Compress <= 6.30.15 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions

Vulnerability

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its AJAX functions in all versions up to, and including, 6.30.15 [1]. The plugin lacks proper permission verification, making various administrative actions accessible to any authenticated user regardless of role.

Exploitation

An attacker needs only a valid WordPress account with Subscriber-level access or higher. By sending crafted AJAX requests to the affected endpoints, the attacker can retrieve sensitive plugin settings and configuration details, or alter and delete them [1]. No additional privileges or user interaction beyond authentication are required.

Impact

Successful exploitation leads to disclosure of sensitive information (e.g., API keys, CDN credentials, performance configurations), disruption of the plugin's functionality, and potentially degradation of overall site performance [1]. The attacker may also delete critical settings, causing persistent damage until manual restoration.

Mitigation

The vendor has released version 7.00.08, which is the latest version as of the reference date [1]. Users should update to 7.00.08 or later immediately. No workarounds beyond disabling the plugin have been disclosed. The vulnerability is not known to be listed in the CISA KEV catalog.