Scan free
CRITICALCVE-2025-8723CVSS 9.8

CVE-2025-8723: RCE in Cloudflare Image Resizing Plugin

Platform

wordpress

Component

cf-image-resizing

Fixed in

1.5.7

AI Confidence: highNVDEPSS 1.5%Reviewed: May 2026
View on NVD
Save

CVE-2025-8723 represents a critical Remote Code Execution (RCE) vulnerability discovered in the Cloudflare Image Resizing plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious PHP code into the plugin's codebase, potentially granting them complete control over the affected WordPress installation. The vulnerability impacts versions 1.0.0 through 1.5.6, and a patch is available in version 1.5.7.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of CVE-2025-8723 is severe. Successful exploitation allows an attacker to execute arbitrary PHP code on the server hosting the WordPress site. This can lead to complete website takeover, data exfiltration (including sensitive user data, database credentials, and proprietary information), defacement, and the installation of malware. Given the plugin's function of image resizing, attackers could potentially leverage this to inject malicious code into images served to users, leading to further compromise. The lack of authentication makes this vulnerability particularly dangerous, as it can be exploited without any prior credentials.

Exploitation Context

CVE-2025-8723 is publicly known and has a CRITICAL CVSS score. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the plugin's popularity suggest a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. This vulnerability was disclosed on 2025-08-19.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

1.49% (81% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentcf-image-resizing
Vendormecanik
Affected rangeFixed in
0 – 1.5.61.5.7

Package Information

Active installs
200Niche
Plugin rating
4.5
Requires WordPress
5.0+
Compatible up to
6.9.4
Requires PHP
7.0+
Homepage

Weakness Classification (CWE)

CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-8723 is to immediately upgrade the Cloudflare Image Resizing plugin to version 1.5.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement without specific payload signatures, a general rule blocking requests to the hookrestpre_dispatch() endpoint could offer limited protection. Regularly review WordPress plugin installations and ensure they are from trusted sources.

How to fix

Actualice el plugin Cloudflare Image Resizing a la versión 1.5.7 o superior para mitigar la vulnerabilidad de ejecución remota de código. Esta actualización aborda la falta de autenticación y la sanitización insuficiente que permiten a los atacantes inyectar código PHP arbitrario.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-8723 — RCE in Cloudflare Image Resizing Plugin?

CVE-2025-8723 is a critical Remote Code Execution vulnerability in the Cloudflare Image Resizing plugin for WordPress, allowing attackers to execute arbitrary PHP code.

Am I affected by CVE-2025-8723 in Cloudflare Image Resizing Plugin?

You are affected if your WordPress site uses the Cloudflare Image Resizing plugin versions 1.0.0 through 1.5.6. Check your plugin versions immediately.

How do I fix CVE-2025-8723 in Cloudflare Image Resizing Plugin?

Upgrade the Cloudflare Image Resizing plugin to version 1.5.7 or later. If immediate upgrade is not possible, temporarily disable the plugin.

Is CVE-2025-8723 being actively exploited?

While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation suggest a high risk of exploitation.

Where can I find the official Cloudflare advisory for CVE-2025-8723?

Refer to the official Cloudflare security advisory for detailed information and updates regarding CVE-2025-8723.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs