WP Compress WP Compress CVE-2025-64639
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in WP Compress WP Compress for MainWP wp-compress-mainwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress for MainWP: from n/a through <= 6.50.17.
AnalysisAI
Missing authorization in WP Compress for MainWP plugin versions up to 6.50.17 allows unauthenticated remote attackers to modify plugin settings due to incorrectly configured access control, affecting integrity of compressed content and plugin configuration without requiring authentication or user interaction.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to properly enforce authorization checks on sensitive operations. WP Compress for MainWP integrates with the MainWP management platform, a WordPress multisite management solution. The vulnerability exists in the plugin's administrative or API endpoints that handle configuration or compression settings. Without proper capability checks (such as WordPress's current_user_can() function with appropriate capabilities like manage_options or plugin-specific capabilities), attackers can invoke privileged functions remotely without authentication. This represents a broken access control implementation rather than an authentication bypass, as authentication may exist but authorization enforcement is absent or inadequate.
Affected ProductsAI
WP Compress for MainWP plugin is affected in versions from initial release through and including version 6.50.17. The plugin is distributed via the WordPress plugin ecosystem and integrates with MainWP (a WordPress multisite management platform). The vulnerability affects all installations running the vulnerable version range on WordPress sites managed through MainWP. Per the Patchstack vulnerability database reference, the vendor advisory and patch information is available at https://patchstack.com/database/Wordpress/Plugin/wp-compress-mainwp/vulnerability/wordpress-wp-compress-for-mainwp-plugin-6-50-07-broken-access-control-vulnerability.
RemediationAI
Update WP Compress for MainWP plugin to a version newer than 6.50.17. Check the official plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wp-compress-mainwp/ for the exact patched version number and release date. If an immediate update is unavailable, implement network-level access controls to restrict access to MainWP administrative interfaces to trusted IP addresses or VPN networks only. Additionally, review and restrict user roles and capabilities within WordPress to ensure only trusted administrators have access to plugin settings. Monitor access logs for suspicious POST/GET requests to plugin configuration endpoints. If the plugin cannot be patched immediately, consider disabling WP Compress for MainWP temporarily until a patch is confirmed available and deployed.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today