平台
wordpress
组件
image-resizer-on-the-fly
修复版本
1.1.1
CVE-2025-6065 describes an arbitrary file access vulnerability affecting the Image Resizer On The Fly plugin for WordPress. This flaw allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 1.1 of the plugin. A fix is expected from the vendor.
The primary impact of CVE-2025-6065 is the ability for an unauthenticated attacker to delete files on a WordPress server. The description specifically highlights the potential for remote code execution if critical files, such as wp-config.php, are deleted. Successful exploitation could grant an attacker complete control over the affected WordPress instance, enabling them to modify content, steal sensitive data (database credentials, user information), install malware, or pivot to other systems on the network. The lack of authentication required significantly broadens the attack surface, making this a high-risk vulnerability.
CVE-2025-6065 was publicly disclosed on 2025-06-14. The vulnerability is considered critical due to the potential for remote code execution. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the high impact. Monitor security advisories and vulnerability databases for updates and potential exploitation attempts.
WordPress websites utilizing the Image Resizer On The Fly plugin, particularly those with default or weak security configurations, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
wp plugin list | grep "Image Resizer On The Fly"• wordpress / composer / npm:
grep -r "delete_image" /var/www/html/wp-content/plugins/image-resizer-on-the-fly/• wordpress / composer / npm:
wp plugin update image-resizer-on-the-fly• generic web: Check WordPress plugin directory for updated version.
disclosure
漏洞利用状态
EPSS
3.65% (88% 百分位)
CISA SSVC
CVSS 向量
The immediate mitigation for CVE-2025-6065 is to upgrade the Image Resizer On The Fly plugin to a patched version as soon as it becomes available. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent exploitation. Web application firewalls (WAFs) can be configured to block requests targeting the 'delete' functionality with potentially malicious file paths. Regularly review file permissions on the WordPress server to ensure that only authorized users and processes have write access to sensitive files. After upgrading, confirm the vulnerability is resolved by attempting a delete operation with a non-existent file path and verifying that an error message is displayed instead of file deletion.
将 Image Resizer On The Fly 插件更新到最新可用版本以修复此漏洞。 更新将修复文件路径验证不足的问题,从而防止在服务器上进行任意文件删除。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-6065 is a critical vulnerability in the Image Resizer On The Fly WordPress plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
You are affected if your WordPress site uses the Image Resizer On The Fly plugin in versions 0.0.0 through 1.1. Check your plugin versions immediately.
Upgrade the Image Resizer On The Fly plugin to a patched version as soon as it becomes available. Temporarily disable the plugin if upgrading is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and high impact suggest it is likely to be targeted.
Refer to the WordPress plugin directory and the plugin developer's website for official advisories and updates regarding CVE-2025-6065.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。