CVE-2025-2109 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WP Compress – Instant Performance & Speed Optimization plugin for WordPress, maintained by smartersite. The vulnerability exists in all versions up to and including 6.30.15 and is triggered via the plugin's init() function. SSRF vulnerabilities allow an attacker to abuse the server's ability to make HTTP requests, causing it to send requests to arbitrary destinations chosen by the attacker. In this case, unauthenticated attackers can exploit the flaw without needing any credentials or user interaction. By leveraging this SSRF, attackers can potentially access internal services behind firewalls, query metadata services, or interact with other internal network resources that are otherwise inaccessible externally. The vulnerability impacts confidentiality by exposing internal information but does not affect data integrity or availability. The CVSS v3.1 base score is 5.8, reflecting a medium severity level due to the ease of exploitation (network accessible, no privileges or user interaction required) but limited impact scope. No public exploits or active exploitation campaigns have been reported to date. The lack of an official patch at the time of reporting means organizations must rely on mitigations until an update is released. Given WordPress's widespread use and the popularity of performance optimization plugins, this vulnerability poses a notable risk to websites using this plugin, especially those hosted in environments with sensitive internal services.

The primary impact of this SSRF vulnerability is unauthorized internal network reconnaissance and potential information disclosure. Attackers can use the vulnerable WordPress plugin to send crafted requests from the web server to internal systems, which may include databases, internal APIs, cloud metadata services, or other protected resources. This can lead to leakage of sensitive data such as configuration details, credentials, or internal IP addresses. While the vulnerability does not directly allow code execution or data modification, the information gained can facilitate further attacks, including lateral movement or privilege escalation. Organizations relying on this plugin expose themselves to risks of data breaches and network mapping by external attackers. The vulnerability affects all installations of the plugin up to version 6.30.15, which could be widespread given the plugin’s function in performance optimization. The medium CVSS score reflects moderate risk, but the ease of exploitation and unauthenticated access increase the urgency for mitigation. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once details are public.

Until an official patch is released, organizations should implement specific mitigations to reduce risk. First, restrict outbound HTTP requests from the web server hosting the WordPress site to only trusted destinations using firewall rules or web application firewalls (WAFs). This limits the ability of SSRF attacks to reach internal services. Second, monitor and log outbound requests from the server for unusual or unexpected destinations to detect potential exploitation attempts. Third, consider disabling or removing the WP Compress plugin if it is not essential, or replace it with alternative performance optimization tools that do not have this vulnerability. Fourth, apply the principle of least privilege to internal services, ensuring they do not trust requests originating from the web server without proper authentication. Finally, once a patch is available from the vendor, prioritize updating the plugin to the fixed version to fully remediate the vulnerability. Regularly review and update WordPress plugins to minimize exposure to known vulnerabilities.