{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25370", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.300Z", "datePublished": "2026-02-19T08:27:00.225Z", "dateUpdated": "2026-04-28T16:14:56.930Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-compress-image-optimizer", "product": "WP Compress", "vendor": "AresIT", "versions": [{"changes": [{"at": "6.60.29", "status": "unaffected"}], "lessThanOrEqual": "6.60.28", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:35.832Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Compress: from n/a through <= 6.60.28.</p>"}], "value": "Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress: from n/a through <= 6.60.28."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.930Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-compress-image-optimizer/vulnerability/wordpress-wp-compress-plugin-6-60-28-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Compress plugin <= 6.60.28 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T18:46:27.333802Z", "id": "CVE-2026-25370", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:36:35.195Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25370", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T18:46:27.333802Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:46:52.476Z"}}], "cna": {"title": "WordPress WP Compress plugin <= 6.60.28 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AresIT", "product": "WP Compress", "versions": [{"status": "affected", "changes": [{"at": "6.60.29", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "6.60.28"}], "packageName": "wp-compress-image-optimizer", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:35.832Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-compress-image-optimizer/vulnerability/wordpress-wp-compress-plugin-6-60-28-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress: from n/a through <= 6.60.28.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Compress: from n/a through <= 6.60.28.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.150Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25370", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:36:35.195Z", "dateReserved": "2026-02-02T12:52:55.300Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:00.225Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress: from n/a through <= 6.60.28."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en AresIT WP Compress wp-compress-image-optimizer permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Compress: desde n/a hasta &lt;= 6.60.28."}], "id": "CVE-2026-25370", "lastModified": "2026-04-28T02:16:05.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-19T09:16:19.707", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-compress-image-optimizer/vulnerability/wordpress-wp-compress-plugin-6-60-28-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.60.28]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "6.60.29"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Compress", "source": "cna", "vendor": "AresIT"}, "product": "wp_compress", "vendor": "aresit"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:33:35.348222+00:00", "value": {"mitigation_remediation": ["Update WP Compress to a version newer than 6.60.28.", "If an update is not available, restrict access to the plugin\u2019s administrative area to trusted administrators only or disable the plugin until a patch is released.", "Monitor the site for abnormal image\u2011compression activity and review access logs for suspicious requests."], "summary": {"action": "Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WP Compress image optimizer plugin from its earliest release through version 6.60.28. Any WordPress installation hosting one of these versions is at risk. The vendor is AresIT and the product is WP Compress.", "description_and_impact": "AresIT WP Compress plugin for WordPress contains a missing authorization control that permits unauthorized users to access privileged functionality within the plugin. The flaw is a classic example of CWE\u2011862: Missing Authorization. The impact is that an attacker could view or modify image\u2011compression settings and other protected plugin resources, potentially enabling further privilege escalation on the site. Although the description does not detail all consequences, it is clear that confidentiality and integrity of plugin configuration may be compromised.", "risk_and_exploitability": "CVSS v3 base score of 5.3 indicates moderate severity. The EPSS score of less than 1% shows the likelihood of exploitation is very low at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web\u2011based, inferred from the nature of the plugin and the absence of an authentication requirement in the description. An attacker can exploit the flaw by interacting with the plugin\u2019s administration interface or by crafting requests that bypass the missing permission checks. Based on the description, it is inferred that the exploitation does not require prior authentication, allowing an unauthenticated user to gain unauthorized access to privileged plugin functionality."}}}}, "created": "2026-02-20T10:08:43.882984+00:00", "updated": "2026-04-16T06:45:16.308617+00:00", "vendors": ["aresit", "aresit$PRODUCT$wp_compress", "wordpress", "wordpress$PRODUCT$wordpress"]}