Image Resizer On The Fly <= 1.1 - Suppression Arbitraire de Fichiers Non Authentifiée
Plateforme
wordpress
Composant
image-resizer-on-the-fly
Corrigé dans
1.1.1
CVE-2025-6065 describes an arbitrary file access vulnerability affecting the Image Resizer On The Fly plugin for WordPress. This flaw allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 1.1 of the plugin. A fix is expected from the vendor.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2025-6065 is the ability for an unauthenticated attacker to delete files on a WordPress server. The description specifically highlights the potential for remote code execution if critical files, such as wp-config.php, are deleted. Successful exploitation could grant an attacker complete control over the affected WordPress instance, enabling them to modify content, steal sensitive data (database credentials, user information), install malware, or pivot to other systems on the network. The lack of authentication required significantly broadens the attack surface, making this a high-risk vulnerability.
Contexte d'Exploitationtraduction en cours…
CVE-2025-6065 was publicly disclosed on 2025-06-14. The vulnerability is considered critical due to the potential for remote code execution. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the high impact. Monitor security advisories and vulnerability databases for updates and potential exploitation attempts.
Qui Est à Risquetraduction en cours…
WordPress websites utilizing the Image Resizer On The Fly plugin, particularly those with default or weak security configurations, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
wp plugin list | grep "Image Resizer On The Fly"• wordpress / composer / npm:
grep -r "delete_image" /var/www/html/wp-content/plugins/image-resizer-on-the-fly/• wordpress / composer / npm:
wp plugin update image-resizer-on-the-fly• generic web: Check WordPress plugin directory for updated version.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
3.65% (percentile 88%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The immediate mitigation for CVE-2025-6065 is to upgrade the Image Resizer On The Fly plugin to a patched version as soon as it becomes available. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent exploitation. Web application firewalls (WAFs) can be configured to block requests targeting the 'delete' functionality with potentially malicious file paths. Regularly review file permissions on the WordPress server to ensure that only authorized users and processes have write access to sensitive files. After upgrading, confirm the vulnerability is resolved by attempting a delete operation with a non-existent file path and verifying that an error message is displayed instead of file deletion.
Comment corriger
Mettez à jour le plugin Image Resizer On The Fly vers la dernière version disponible pour corriger cette vulnérabilité. La mise à jour corrigera le manque de validation appropriée des chemins de fichiers, empêchant ainsi la suppression arbitraire de fichiers sur le serveur.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-6065 — Arbitrary File Access in Image Resizer On The Fly?
CVE-2025-6065 is a critical vulnerability in the Image Resizer On The Fly WordPress plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
Am I affected by CVE-2025-6065 in Image Resizer On The Fly?
You are affected if your WordPress site uses the Image Resizer On The Fly plugin in versions 0.0.0 through 1.1. Check your plugin versions immediately.
How do I fix CVE-2025-6065 in Image Resizer On The Fly?
Upgrade the Image Resizer On The Fly plugin to a patched version as soon as it becomes available. Temporarily disable the plugin if upgrading is not possible.
Is CVE-2025-6065 being actively exploited?
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and high impact suggest it is likely to be targeted.
Where can I find the official Image Resizer On The Fly advisory for CVE-2025-6065?
Refer to the WordPress plugin directory and the plugin developer's website for official advisories and updates regarding CVE-2025-6065.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.