CVE-2025-8889: 
WordPress vulnerability analysis and mitigation

The Compress Then Upload WordPress plugin versions prior to 1.0.5 contains a file upload vulnerability identified as CVE-2025-8889. The vulnerability was discovered by Muhammed Çelik and publicly disclosed on August 19, 2025. This security issue affects the file upload functionality of the plugin, specifically impacting WordPress installations where the plugin is active (WPScan).

The vulnerability stems from improper file validation in the upload functionality. The plugin fails to properly validate uploaded files, allowing privileged users such as administrators to upload arbitrary files to the server, even in scenarios where such uploads should be restricted, such as in multisite setups. The issue can be exploited through the plugin's upload interface accessible via Media > Compress Then Upload Images in the WordPress Admin Panel (WPScan).

The vulnerability allows authenticated attackers with administrative privileges to upload arbitrary files to the server, potentially leading to remote code execution if malicious files are uploaded. This is particularly concerning in multisite setups where such capabilities should be restricted (WPScan).

The vulnerability has been patched in version 1.0.5 of the Compress Then Upload plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).