CVE-2025-8723

Cloudflare Image Resizing <= 1.5.6 - Missing Authentication to Unauthenticated Remote Code Execution via rest_pre_dispatch Hook

CVSS 9.8 CRITICALEPSS 14.0%CWE-94

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

mecanik · Cloudflare Image Resizing – Optimize & Accelerate Your Images

public PoCs found — 1

githubgithub.com/Nxploited/CVE-2025-8723★ 8

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/3337593/https://plugins.trac.wordpress.org/changeset/3341917/https://wordpress.org/plugins/cf-image-resizing/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/0f3b3c1a-1d45-4e2f-854a-171fe759257b?source=cve