Image Resizer On The Fly <= 1.1 - Exclusão Arbitrária de Arquivos Sem Autenticação
Plataforma
wordpress
Componente
image-resizer-on-the-fly
Corrigido em
1.1.1
CVE-2025-6065 describes an arbitrary file access vulnerability affecting the Image Resizer On The Fly plugin for WordPress. This flaw allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 1.1 of the plugin. A fix is expected from the vendor.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2025-6065 is the ability for an unauthenticated attacker to delete files on a WordPress server. The description specifically highlights the potential for remote code execution if critical files, such as wp-config.php, are deleted. Successful exploitation could grant an attacker complete control over the affected WordPress instance, enabling them to modify content, steal sensitive data (database credentials, user information), install malware, or pivot to other systems on the network. The lack of authentication required significantly broadens the attack surface, making this a high-risk vulnerability.
Contexto de Exploraçãotraduzindo…
CVE-2025-6065 was publicly disclosed on 2025-06-14. The vulnerability is considered critical due to the potential for remote code execution. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the high impact. Monitor security advisories and vulnerability databases for updates and potential exploitation attempts.
Quem Está em Riscotraduzindo…
WordPress websites utilizing the Image Resizer On The Fly plugin, particularly those with default or weak security configurations, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
Passos de Detecçãotraduzindo…
• wordpress / composer / npm:
wp plugin list | grep "Image Resizer On The Fly"• wordpress / composer / npm:
grep -r "delete_image" /var/www/html/wp-content/plugins/image-resizer-on-the-fly/• wordpress / composer / npm:
wp plugin update image-resizer-on-the-fly• generic web: Check WordPress plugin directory for updated version.
Linha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
3.65% (percentil 88%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Nenhum — sem impacto na confidencialidade.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Alto — falha completa ou esgotamento de recursos. Negação de serviço total.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The immediate mitigation for CVE-2025-6065 is to upgrade the Image Resizer On The Fly plugin to a patched version as soon as it becomes available. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent exploitation. Web application firewalls (WAFs) can be configured to block requests targeting the 'delete' functionality with potentially malicious file paths. Regularly review file permissions on the WordPress server to ensure that only authorized users and processes have write access to sensitive files. After upgrading, confirm the vulnerability is resolved by attempting a delete operation with a non-existent file path and verifying that an error message is displayed instead of file deletion.
Como corrigir
Atualize o plugin Image Resizer On The Fly para a última versão disponível para corrigir esta vulnerabilidade. A atualização corrigirá a falta de validação adequada das rotas dos arquivos, prevenindo a exclusão arbitrária de arquivos no servidor.
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2025-6065 — Arbitrary File Access in Image Resizer On The Fly?
CVE-2025-6065 is a critical vulnerability in the Image Resizer On The Fly WordPress plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
Am I affected by CVE-2025-6065 in Image Resizer On The Fly?
You are affected if your WordPress site uses the Image Resizer On The Fly plugin in versions 0.0.0 through 1.1. Check your plugin versions immediately.
How do I fix CVE-2025-6065 in Image Resizer On The Fly?
Upgrade the Image Resizer On The Fly plugin to a patched version as soon as it becomes available. Temporarily disable the plugin if upgrading is not possible.
Is CVE-2025-6065 being actively exploited?
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and high impact suggest it is likely to be targeted.
Where can I find the official Image Resizer On The Fly advisory for CVE-2025-6065?
Refer to the WordPress plugin directory and the plugin developer's website for official advisories and updates regarding CVE-2025-6065.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.