Description
The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.
Published: 2025-08-19
Score: 9.8 Critical
EPSS: 1.6% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Cloudflare Image Resizing WordPress plugin contains a critical flaw in its rest_pre_dispatch hook, where authentication is bypassed and user input is insufficiently sanitized. This flaw allows an attacker to inject arbitrary PHP code directly into the plugin’s execution context, resulting in full remote code execution over the web.

Affected Systems

The vulnerability affects the Cloudflare Image Resizing plugin developed by mecanik, released through the WordPress plugin repository. All versions up to and including 1.5.6 are impacted; any site that has installed or is running a version within this range and has the plugin’s REST endpoint exposed is susceptible.

Risk and Exploitability

With a CVSS score of 9.8 and an EPSS score of 2%, the potential for exploitation is significant. The bug is not listed in CISA’s KEV catalog yet, but the high severity coupled with an unauthenticated, REST‑based attack vector makes it a high‑priority target for attackers.

Generated by OpenCVE AI on April 22, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cloudflare Image Resizing to the earliest available patch version (at least 1.5.7).
  • If a patch is not immediately possible, remove or disable the plugin to eliminate the exposed entry point.
  • Apply a firewall or web‑application‑firewall rule to block unauthenticated POST requests to the rest_pre_dispatch endpoint until a fix can be deployed.

Generated by OpenCVE AI on April 22, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28804 The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.
History

Tue, 19 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.
Title Cloudflare Image Resizing <= 1.5.6 - Missing Authentication to Unauthenticated Remote Code Execution via rest_pre_dispatch Hook
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:38.694Z

Reserved: 2025-08-07T20:42:36.986Z

Link: CVE-2025-8723

cve-icon Vulnrichment

Updated: 2025-08-19T13:18:59.467Z

cve-icon NVD

Status : Deferred

Published: 2025-08-19T08:15:30.957

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses