CVE-2025-2109: 
WordPress vulnerability analysis and mitigation

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 6.30.15. The vulnerability exists in the init() function and allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query information from internal services (NVD).

The vulnerability has been assigned CVE-2025-2109 and has a CVSS v3.1 Base Score of 5.8 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N. The issue is classified as CWE-918 (Server-Side Request Forgery). The vulnerability was discovered in the init() function of the plugin's core file (WordPress Plugin).

The vulnerability allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. This can be exploited to query information from internal services, potentially exposing sensitive information or internal systems that should not be accessible from the public internet (NVD).

The vulnerability has been patched in version 6.30.16 of the plugin. Users are advised to update to this version or later to protect against this security issue. The update includes fixes for WooFragments Exclusion, windowWidth Conflict in DelayJS, and various WP Ajax patches (WordPress Plugin).