CVE-2025-8723

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3337593/
https://plugins.trac.wordpress.org/changeset/3341917/
https://wordpress.org/plugins/cf-image-resizing/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f3b3c1a-1d45-4e2f-854a-171fe759257b?source=cve

Configurations

No configuration.

History

19 Aug 2025, 13:42

Type	Values Removed	Values Added
Summary		(es) El complemento Cloudflare Image Resizing para WordPress es vulnerable a la ejecución remota de código debido a la falta de autenticación y a una depuración insuficiente en su método hook_rest_pre_dispatch() en todas las versiones hasta la 1.5.6 incluida. Esto permite que atacantes no autenticados inyecten PHP arbitrario en el código base, logrando la ejecución remota de código.

19 Aug 2025, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 08:15

Updated : 2025-08-19 13:42

NVD link : CVE-2025-8723

Mitre link : CVE-2025-8723

CVE.ORG link : CVE-2025-8723

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.8 /10