Platform
wordpress
Component
image-resizer-on-the-fly
Opgelost in
1.1.1
CVE-2025-6065 describes an arbitrary file access vulnerability affecting the Image Resizer On The Fly plugin for WordPress. This flaw allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 1.1 of the plugin. A fix is expected from the vendor.
The primary impact of CVE-2025-6065 is the ability for an unauthenticated attacker to delete files on a WordPress server. The description specifically highlights the potential for remote code execution if critical files, such as wp-config.php, are deleted. Successful exploitation could grant an attacker complete control over the affected WordPress instance, enabling them to modify content, steal sensitive data (database credentials, user information), install malware, or pivot to other systems on the network. The lack of authentication required significantly broadens the attack surface, making this a high-risk vulnerability.
CVE-2025-6065 was publicly disclosed on 2025-06-14. The vulnerability is considered critical due to the potential for remote code execution. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the high impact. Monitor security advisories and vulnerability databases for updates and potential exploitation attempts.
WordPress websites utilizing the Image Resizer On The Fly plugin, particularly those with default or weak security configurations, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
wp plugin list | grep "Image Resizer On The Fly"• wordpress / composer / npm:
grep -r "delete_image" /var/www/html/wp-content/plugins/image-resizer-on-the-fly/• wordpress / composer / npm:
wp plugin update image-resizer-on-the-fly• generic web: Check WordPress plugin directory for updated version.
disclosure
Exploit Status
EPSS
3.65% (88% percentiel)
CISA SSVC
CVSS-vector
The immediate mitigation for CVE-2025-6065 is to upgrade the Image Resizer On The Fly plugin to a patched version as soon as it becomes available. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent exploitation. Web application firewalls (WAFs) can be configured to block requests targeting the 'delete' functionality with potentially malicious file paths. Regularly review file permissions on the WordPress server to ensure that only authorized users and processes have write access to sensitive files. After upgrading, confirm the vulnerability is resolved by attempting a delete operation with a non-existent file path and verifying that an error message is displayed instead of file deletion.
Werk de Image Resizer On The Fly plugin bij naar de laatste beschikbare versie om deze kwetsbaarheid te verhelpen. De update corrigeert het gebrek aan adequate validatie van bestandspaden, waardoor willekeurige bestandverwijdering op de server wordt voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-6065 is a critical vulnerability in the Image Resizer On The Fly WordPress plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
You are affected if your WordPress site uses the Image Resizer On The Fly plugin in versions 0.0.0 through 1.1. Check your plugin versions immediately.
Upgrade the Image Resizer On The Fly plugin to a patched version as soon as it becomes available. Temporarily disable the plugin if upgrading is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and high impact suggest it is likely to be targeted.
Refer to the WordPress plugin directory and the plugin developer's website for official advisories and updates regarding CVE-2025-6065.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.