CVE-2025-47546 – A Cross-Site Request Forgery (CSRF) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-47546?

CVE-2025-47546 has a CVSS score of 7.1 (HIGH). A Cross-Site Request Forgery (CSRF) vulnerability in the AresIT WP Compress WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. This affects all WordPress sites using WP Compress versions up to 6.30.30. Attackers could modify plugin settings or potentially perform other administrative actions.

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in the AresIT WP Compress WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. This affects all WordPress sites using WP Compress versions up to 6.30.30. Attackers could modify plugin settings or potentially perform other administrative actions.

💻 Affected Systems

Products:

AresIT WP Compress Image Optimizer

Versions: n/a through 6.30.30

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress administrator access to exploit; affects all default configurations of vulnerable versions.

📦 What is this software?

Wp Compress by Wpcompress

View all CVEs affecting Wp Compress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could reconfigure image optimization settings to degrade site performance, modify security settings, or potentially chain with other vulnerabilities for further compromise.

🟠

Likely Case

Attackers trick administrators into changing plugin settings, potentially disrupting image optimization or site functionality.

🟢

If Mitigated

With proper CSRF protections and user awareness, exploitation attempts would fail or be detected.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks typically require social engineering to trick authenticated users; no authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.30.31 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wp-compress-image-optimizer/vulnerability/wordpress-wp-compress-6-30-30-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Compress and click 'Update Now'. 4. Verify update to version 6.30.31 or later.

🔧 Temporary Workarounds

Implement CSRF Protection Headers

all

Add Content Security Policy headers to help prevent CSRF attacks

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"

Temporary Plugin Deactivation

linux

Disable WP Compress until patched if immediate update not possible

wp plugin deactivate wp-compress-image-optimizer

🧯 If You Can't Patch

Implement strict SameSite cookie policies and CSRF tokens site-wide
Educate administrators about phishing risks and require manual confirmation for sensitive actions

🔍 How to Verify

Check if Vulnerable:

Check WP Compress version in WordPress admin under Plugins > Installed Plugins

Check Version:

wp plugin get wp-compress-image-optimizer --field=version

Verify Fix Applied:

Confirm WP Compress version is 6.30.31 or higher in plugin details

📡 Detection & Monitoring

Log Indicators:

Multiple failed CSRF token validations
Unexpected plugin setting changes in WordPress logs

Network Indicators:

POST requests to wp-admin/admin-ajax.php without proper referrer headers
Suspicious cross-origin requests to plugin endpoints

SIEM Query:

source="wordpress" AND (event="csrf_validation_failed" OR plugin="wp-compress")

📊 Metadata

CVE ID: CVE-2025-47546

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-352

EPSS Score: 0.03% exploit probability (7.2th percentile)

Published: May 7, 2025

Last Updated: May 12, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/wp-compress-image-optimizer/vulnerability/wordpress-wp-compress-6-30-30-cross-site-request-forgery-csrf-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47546, you might also want to check these: