Platform
wordpress
Component
cf-image-resizing
Fixed in
1.5.7
CVE-2025-8723 represents a critical Remote Code Execution (RCE) vulnerability discovered in the Cloudflare Image Resizing plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious PHP code into the plugin's codebase, potentially granting them complete control over the affected WordPress installation. The vulnerability impacts versions 1.0.0 through 1.5.6, and a patch is available in version 1.5.7.
The impact of CVE-2025-8723 is severe. Successful exploitation allows an attacker to execute arbitrary PHP code on the server hosting the WordPress site. This can lead to complete website takeover, data exfiltration (including sensitive user data, database credentials, and proprietary information), defacement, and the installation of malware. Given the plugin's function of image resizing, attackers could potentially leverage this to inject malicious code into images served to users, leading to further compromise. The lack of authentication makes this vulnerability particularly dangerous, as it can be exploited without any prior credentials.
CVE-2025-8723 is publicly known and has a CRITICAL CVSS score. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the plugin's popularity suggest a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. This vulnerability was disclosed on 2025-08-19.
Exploit Status
EPSS
1.49% (81% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-8723 is to immediately upgrade the Cloudflare Image Resizing plugin to version 1.5.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement without specific payload signatures, a general rule blocking requests to the hookrestpre_dispatch() endpoint could offer limited protection. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Actualice el plugin Cloudflare Image Resizing a la versión 1.5.7 o superior para mitigar la vulnerabilidad de ejecución remota de código. Esta actualización aborda la falta de autenticación y la sanitización insuficiente que permiten a los atacantes inyectar código PHP arbitrario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-8723 is a critical Remote Code Execution vulnerability in the Cloudflare Image Resizing plugin for WordPress, allowing attackers to execute arbitrary PHP code.
You are affected if your WordPress site uses the Cloudflare Image Resizing plugin versions 1.0.0 through 1.5.6. Check your plugin versions immediately.
Upgrade the Cloudflare Image Resizing plugin to version 1.5.7 or later. If immediate upgrade is not possible, temporarily disable the plugin.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation suggest a high risk of exploitation.
Refer to the official Cloudflare security advisory for detailed information and updates regarding CVE-2025-8723.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.