{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6065", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-13T13:36:30.138Z", "datePublished": "2025-06-14T08:23:21.618Z", "dateUpdated": "2026-04-08T16:36:48.610Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:48.610Z"}, "affected": [{"vendor": "wework4web", "product": "Image Resizer On The Fly", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Image Resizer On The Fly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' task in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "Image Resizer On The Fly <= 1.1 - Unauthenticated Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14877ff6-e393-41a3-91c1-fe7f477297cc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/image-resizer-on-the-fly/trunk/image-resizer-on-the-fly.php#L25"}, {"url": "https://wordpress.org/plugins/image-resizer-on-the-fly/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2025-06-13T19:37:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T16:49:42.791265Z", "id": "CVE-2025-6065", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T18:39:56.275Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Image Resizer On The Fly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' task in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}, {"lang": "es", "value": "El complemento Image Resizer On The Fly para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de acceso en la tarea \"eliminar\" en todas las versiones hasta la 1.1 incluida. Esto permite que atacantes no autenticados eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-6065", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-14T09:15:25.020", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/image-resizer-on-the-fly/trunk/image-resizer-on-the-fly.php#L25"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/image-resizer-on-the-fly/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14877ff6-e393-41a3-91c1-fe7f477297cc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:17:39.331652+00:00", "value": {"mitigation_remediation": ["Upgrade Image Resizer On The Fly to the latest available version that includes the path validation fix. This is the most effective and complete remedy. ", "Remove or deactivate the plugin if it is not required for site functionality. This eliminates the attack surface entirely. ", "Configure file and directory permissions to prevent web\u2011initiated deletions of critical files such as wp-config.php; consider setting those paths to read\u2011only for the web server process."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated arbitrary file deletion that can lead to remote code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the wework4web Image Resizer On The Fly plugin installed in any version up to and including 1.1. The plugin is distributed via the WordPress Plugin Repository and is commonly used on production and staging sites built with WordPress.", "description_and_impact": "The Image Resizer On The Fly plugin contains insufficient file path validation in its delete operation, allowing any visitor to trigger deletion of arbitrary files on the server. This flaw could be exploited to remove critical configuration files such as wp-config.php, thereby enabling an attacker to execute arbitrary code on the host. The weakness is a classic path traversal or directory traversal attack (CWE-22). The impact is loss of confidentiality, integrity, and availability, and can result in full control of the site if a key file is removed or replaced.", "risk_and_exploitability": "With a CVSS score of 9.1 the vulnerability is considered critical, and the EPSS score of 7% indicates that exploitation is reasonably likely. The flaw is not listed in the CISA KEV catalog, but its nature allows unauthenticated attackers to trigger the delete action via an HTTP request to the plugin\u2019s delete endpoint; based on the description, it is inferred that this is the attack vector. Once a sensitive file is removed or replaced, the attacker can leverage the resulting misconfiguration to run arbitrary code."}}}}, "created": "2026-04-22T17:30:22.631877+00:00", "updated": "2026-04-22T17:30:22.631888+00:00", "vendors": []}