{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8723", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-07T20:42:36.986Z", "datePublished": "2025-08-19T07:26:26.487Z", "dateUpdated": "2026-04-08T16:35:38.694Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:38.694Z"}, "affected": [{"vendor": "mecanik", "product": "Cloudflare Image Resizing \u2013 Optimize & Accelerate Your Images", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution."}], "title": "Cloudflare Image Resizing <= 1.5.6 - Missing Authentication to Unauthenticated Remote Code Execution via rest_pre_dispatch Hook", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f3b3c1a-1d45-4e2f-854a-171fe759257b?source=cve"}, {"url": "https://wordpress.org/plugins/cf-image-resizing/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3337593/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3341917/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-08-08T16:51:54.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-18T19:08:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-19T13:18:53.589604Z", "id": "CVE-2025-8723", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-19T13:19:05.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8723", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-19T13:18:53.589604Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-19T13:18:59.467Z"}}], "cna": {"title": "Cloudflare Image Resizing <= 1.5.6 - Missing Authentication to Unauthenticated Remote Code Execution via rest_pre_dispatch Hook", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "mecanik", "product": "Cloudflare Image Resizing \u2013 Optimize & Accelerate Your Images", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-08T16:51:54.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-18T19:08:51.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f3b3c1a-1d45-4e2f-854a-171fe759257b?source=cve"}, {"url": "https://wordpress.org/plugins/cf-image-resizing/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3337593/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3341917/"}], "descriptions": [{"lang": "en", "value": "The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-19T07:26:26.487Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8723", "state": "PUBLISHED", "dateUpdated": "2025-08-19T13:19:05.368Z", "dateReserved": "2025-08-07T20:42:36.986Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-19T07:26:26.487Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution."}, {"lang": "es", "value": "El complemento Cloudflare Image Resizing para WordPress es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo debido a la falta de autenticaci\u00f3n y a una depuraci\u00f3n insuficiente en su m\u00e9todo hook_rest_pre_dispatch() en todas las versiones hasta la 1.5.6 incluida. Esto permite que atacantes no autenticados inyecten PHP arbitrario en el c\u00f3digo base, logrando la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-8723", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-19T08:15:30.957", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3337593/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3341917/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/cf-image-resizing/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f3b3c1a-1d45-4e2f-854a-171fe759257b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:00:07.427619+00:00", "value": {"mitigation_remediation": ["Update Cloudflare Image Resizing to the earliest available patch version (at least 1.5.7).", "If a patch is not immediately possible, remove or disable the plugin to eliminate the exposed entry point.", "Apply a firewall or web\u2011application\u2011firewall rule to block unauthenticated POST requests to the rest_pre_dispatch endpoint until a fix can be deployed."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Cloudflare Image Resizing plugin developed by mecanik, released through the WordPress plugin repository. All versions up to and including 1.5.6 are impacted; any site that has installed or is running a version within this range and has the plugin\u2019s REST endpoint exposed is susceptible.", "description_and_impact": "The Cloudflare Image Resizing WordPress plugin contains a critical flaw in its rest_pre_dispatch hook, where authentication is bypassed and user input is insufficiently sanitized. This flaw allows an attacker to inject arbitrary PHP code directly into the plugin\u2019s execution context, resulting in full remote code execution over the web.", "risk_and_exploitability": "With a CVSS score of 9.8 and an EPSS score of 2%, the potential for exploitation is significant. The bug is not listed in CISA\u2019s KEV catalog yet, but the high severity coupled with an unauthenticated, REST\u2011based attack vector makes it a high\u2011priority target for attackers."}}}}, "created": "2026-04-22T17:00:12.349302+00:00", "updated": "2026-04-22T17:00:12.349315+00:00", "vendors": []}