– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-25370:
The Compress WordPress plugin version 6.60.28 and earlier contains a missing authorization vulnerability in its AJAX handler for critical CSS generation. This allows unauthenticated attackers to trigger remote critical CSS generation requests, potentially causing resource exhaustion or unauthorized actions. The CVSS 5.3 score reflects medium severity due to the impact on availability and potential for abuse.

Root Cause:
The vulnerability exists in the `wpc_send_critical_remote()` function within `/wp-compress-image-optimizer/classes/ajax.class.php`. This AJAX handler lacks any capability check or nonce verification before processing requests. The function at line 4391 accepts POST requests containing `action=wpc_send_critical_remote` and processes them without validating user permissions. The JavaScript function `handleUserInteraction()` in `/wp-compress-image-optimizer/addons/cdn/rewriteLogic.php` at lines 948-975 sends these AJAX requests, but the server-side handler fails to verify if the requester has proper authorization.

Exploitation:
Attackers can send POST requests directly to `/wp-admin/admin-ajax.php` with the parameter `action=wpc_send_critical_remote`. The request must include additional parameters: `postID` (the WordPress post ID) and `realUrl` (the target URL for critical CSS generation). No authentication cookies, nonces, or API keys are required. The attack vector is a simple unauthenticated AJAX request that triggers server-side critical CSS processing, potentially consuming server resources or generating CSS for unauthorized posts.

Patch Analysis:
The patch in version 6.60.29 adds proper authorization checks to the vulnerable function. The fix introduces a capability check using `current_user_can(‘manage_wpc_settings’)` and nonce verification with `wp_verify_nonce($_POST[‘wps_ic_nonce’], ‘wps_ic_nonce_action’)`. Before the patch, the function executed unconditionally for any request with the correct action parameter. After the patch, the function validates both user permissions and nonce tokens, ensuring only authorized administrators can trigger critical CSS generation. The patch also removes the vulnerable JavaScript code path that previously allowed unauthenticated triggering.

Impact:
Successful exploitation allows unauthenticated attackers to trigger critical CSS generation operations on the target WordPress site. This can lead to server resource exhaustion through repeated requests, potentially causing denial of service. Attackers could also generate CSS for posts they shouldn’t have access to, though the primary impact is unauthorized use of server resources and potential disruption of the site’s performance optimization features.