CVE-2025-8723

Cloudflare Image Resizing <= 1.5.6 - Missing Authentication to Unauthenticated Remote Code Execution via rest_pre_dispatch Hook

CVSS 9.8 CRITICALEPSS 14.0%CWE-94

Vexday Risk Score

53Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 14.0%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

19 Aug 2025Published on NVD

19 Aug 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

mecanik · Cloudflare Image Resizing – Optimize & Accelerate Your Images

public PoCs found — 1

githubgithub.com/Nxploited/CVE-2025-8723★ 8

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/3337593/https://plugins.trac.wordpress.org/changeset/3341917/https://wordpress.org/plugins/cf-image-resizing/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/0f3b3c1a-1d45-4e2f-854a-171fe759257b?source=cve