CVE-2025-57899 is a Missing Authorization vulnerability (CWE-862) identified in the AresIT WP Compress plugin for WordPress. This vulnerability allows unauthorized users to access functionality that should be protected by Access Control Lists (ACLs). Specifically, the issue arises because certain functions within the WP Compress plugin do not properly enforce authorization checks, enabling attackers to invoke these functions without the necessary permissions. The affected versions include all versions up to 6.50.54, though the exact initial vulnerable version is unspecified (noted as 'n/a'). The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) shows that the attack can be performed remotely over the network without any privileges or user interaction, and it impacts availability only, with no confidentiality or integrity loss. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability's root cause is the lack of proper authorization checks on sensitive plugin functionality, which could allow attackers to disrupt service availability or cause denial-of-service conditions by invoking functions they should not access. Given WP Compress is a WordPress plugin designed to optimize images and improve website performance, exploitation could degrade website availability or performance, impacting user experience and potentially causing downtime or resource exhaustion.

For European organizations, the impact of this vulnerability depends largely on the extent of WP Compress plugin usage within their WordPress deployments. Organizations relying on WP Compress for image optimization could face service disruptions if attackers exploit this missing authorization flaw to invoke resource-intensive functions or disrupt plugin operations. This could lead to website slowdowns or outages, negatively affecting customer-facing services, e-commerce platforms, or internal portals. While the vulnerability does not directly compromise data confidentiality or integrity, availability impacts can still cause significant operational and reputational damage, especially for businesses with high web traffic or critical online services. Additionally, organizations in sectors such as e-commerce, media, and public services that rely heavily on WordPress sites may experience increased risk. The lack of required privileges or user interaction for exploitation increases the threat level, as attackers can remotely trigger the vulnerability without authentication. However, the absence of known exploits in the wild and the medium CVSS score suggest that while the threat is real, it may not be actively exploited at scale yet. Nonetheless, European organizations should treat this vulnerability seriously due to the potential for denial-of-service conditions and the widespread use of WordPress in the region.

To mitigate this vulnerability, European organizations should first inventory their WordPress environments to identify installations using the WP Compress plugin, especially versions up to 6.50.54. Since no official patches are currently linked, organizations should monitor AresIT and trusted vulnerability databases for updates or security patches addressing this issue. In the interim, administrators can implement the following specific measures: 1) Restrict access to WordPress administrative interfaces and plugin endpoints via network-level controls such as IP whitelisting or VPN access to limit exposure to trusted users only. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting WP Compress plugin endpoints or unusual function calls. 3) Review and harden WordPress user roles and permissions to minimize the number of users with administrative or plugin management rights. 4) Consider temporarily disabling or uninstalling the WP Compress plugin if the risk outweighs the benefits until a patch is available. 5) Monitor web server and application logs for anomalous activity related to WP Compress plugin functions to detect potential exploitation attempts early. 6) Keep WordPress core and all plugins updated to the latest versions to reduce the attack surface. These targeted actions go beyond generic advice by focusing on access restrictions, monitoring, and proactive plugin management tailored to this specific vulnerability.