CVE-2025-8889: 
WordPress vulnerability analysis and mitigation

The Compress & Upload WordPress plugin before version 1.0.5 contains a file validation vulnerability identified as CVE-2025-8889. The vulnerability was discovered and publicly disclosed on September 9, 2025. This security flaw affects WordPress installations using the Compress Then Upload plugin versions prior to 1.0.5, specifically impacting high-privilege users such as administrators (WPScan, AttackerKB).

The vulnerability stems from improper file validation mechanisms in the plugin, which fails to adequately validate uploaded files. The flaw has been assigned a CVSS v3 Base Score of 6.5 (Medium), with attack vector parameters indicating Network-based attack potential, Low attack complexity, and No privileges or user interaction required. The technical exploit involves intercepting and modifying upload requests to bypass weak server-side image validations, potentially allowing the upload of malicious files (WPScan).

The vulnerability allows high-privilege users such as administrators to upload arbitrary files on the server in scenarios where such actions should be restricted, particularly in multisite WordPress setups. This could potentially lead to unauthorized file uploads and possible remote code execution if exploited successfully (AttackerKB).

The recommended mitigation is to upgrade the Compress Then Upload plugin to version 1.0.5 or later, which contains fixes for this vulnerability (WPScan).