CVE-2025-8723

Name of the Vulnerable Software and Affected Versions: Cloudflare Image Resizing plugin for WordPress versions up to and including 1.5.6

Description: The Cloudflare Image Resizing plugin for WordPress is susceptible to Remote Code Execution (RCE) due to missing authentication and insufficient sanitization within its hook rest pre dispatch() method. This allows unauthenticated attackers to inject arbitrary PHP code into the codebase, leading to RCE. The vulnerability stems from the lack of proper input validation for parameters like cf image resizing format and cf image resizing fit when processing requests to the /wp-json/wp/v2/settings/ API endpoint. Specifically, the injected code is directly added to the plugin's configuration files, enabling attackers to execute commands with each site visit.

Recommendations: Cloudflare Image Resizing plugin for WordPress versions prior to 1.5.6 are affected. As a temporary workaround, consider disabling the hook rest pre dispatch() function until a patch is available. Restrict access to the /wp-json/wp/v2/settings/ API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.