CVE-2025-64639

MEDIUM
2025-12-16 [email protected]
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 5.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in WP Compress WP Compress for MainWP wp-compress-mainwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress for MainWP: from n/a through <= 6.50.17.

Analysis

Missing authorization in WP Compress for MainWP plugin versions up to 6.50.17 allows unauthenticated remote attackers to modify plugin settings due to incorrectly configured access control, affecting integrity of compressed content and plugin configuration without requiring authentication or user interaction.

Technical Context

The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to properly enforce authorization checks on sensitive operations. WP Compress for MainWP integrates with the MainWP management platform, a WordPress multisite management solution. The vulnerability exists in the plugin's administrative or API endpoints that handle configuration or compression settings. Without proper capability checks (such as WordPress's `current_user_can()` function with appropriate capabilities like `manage_options` or plugin-specific capabilities), attackers can invoke privileged functions remotely without authentication. This represents a broken access control implementation rather than an authentication bypass, as authentication may exist but authorization enforcement is absent or inadequate.

Affected Products

WP Compress for MainWP plugin is affected in versions from initial release through and including version 6.50.17. The plugin is distributed via the WordPress plugin ecosystem and integrates with MainWP (a WordPress multisite management platform). The vulnerability affects all installations running the vulnerable version range on WordPress sites managed through MainWP. Per the Patchstack vulnerability database reference, the vendor advisory and patch information is available at https://patchstack.com/database/Wordpress/Plugin/wp-compress-mainwp/vulnerability/wordpress-wp-compress-for-mainwp-plugin-6-50-07-broken-access-control-vulnerability.

Remediation

Update WP Compress for MainWP plugin to a version newer than 6.50.17. Check the official plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wp-compress-mainwp/ for the exact patched version number and release date. If an immediate update is unavailable, implement network-level access controls to restrict access to MainWP administrative interfaces to trusted IP addresses or VPN networks only. Additionally, review and restrict user roles and capabilities within WordPress to ensure only trusted administrators have access to plugin settings. Monitor access logs for suspicious POST/GET requests to plugin configuration endpoints. If the plugin cannot be patched immediately, consider disabling WP Compress for MainWP temporarily until a patch is confirmed available and deployed.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-64639 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy