Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-8723

CVE-2025-8723: Cloudflare Image Resizing RCE Vulnerability

CVE-2025-8723 is a remote code execution vulnerability in the Cloudflare Image Resizing WordPress plugin. Unauthenticated attackers can inject PHP code and execute commands. This article covers technical details, affected versions, and steps.

Published:

CVE-2025-8723 Overview

The Cloudflare Image Resizing plugin for WordPress contains a critical Remote Code Execution vulnerability stemming from missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method. This vulnerability affects all versions up to and including 1.5.6, allowing unauthenticated attackers to inject arbitrary PHP code into the WordPress codebase and achieve complete remote code execution on the target server.

Critical Impact

Unauthenticated attackers can inject arbitrary PHP code, achieving full remote code execution on vulnerable WordPress installations without any user interaction required.

Affected Products

  • Cloudflare Image Resizing plugin for WordPress versions up to and including 1.5.6

Discovery Timeline

  • August 19, 2025 - CVE-2025-8723 published to NVD
  • August 19, 2025 - Last updated in NVD database

Technical Details for CVE-2025-8723

Vulnerability Analysis

This vulnerability is classified as Code Injection (CWE-94) and represents one of the most severe vulnerability types affecting WordPress plugins. The flaw exists in the hook_rest_pre_dispatch() method, which fails to implement proper authentication checks and input sanitization when processing REST API requests. This combination of security failures creates a direct path for attackers to inject malicious PHP code that executes within the context of the WordPress application.

The vulnerability requires no authentication whatsoever, meaning any remote attacker can exploit it over the network. The attack can be executed with low complexity and requires no user interaction, making it highly attractive to automated exploitation tools and malicious actors scanning for vulnerable WordPress installations.

Root Cause

The root cause of CVE-2025-8723 lies in two fundamental security failures within the plugin's codebase:

  1. Missing Authentication: The hook_rest_pre_dispatch() method lacks proper authentication checks, allowing any unauthenticated user to access and interact with the vulnerable functionality.

  2. Insufficient Input Sanitization: User-supplied input processed by this method is not adequately sanitized or validated before being used in a context that allows PHP code execution, enabling attackers to inject and execute arbitrary PHP commands.

Attack Vector

The attack is conducted over the network by sending specially crafted requests to the WordPress REST API endpoint handled by the vulnerable plugin. An attacker can craft malicious payloads containing PHP code that bypasses the insufficient sanitization measures. Once the payload reaches the hook_rest_pre_dispatch() method, the injected PHP code is executed with the privileges of the web server process, potentially allowing:

  • Complete server compromise
  • Data exfiltration from the WordPress database
  • Installation of backdoors and web shells
  • Lateral movement within the hosting environment
  • Defacement or modification of website content
  • Use of the server for further malicious activities

The exploitation does not require any form of authentication or prior access to the WordPress installation, making internet-facing WordPress sites with this plugin installed immediately vulnerable.

Detection Methods for CVE-2025-8723

Indicators of Compromise

  • Unexpected PHP files created in WordPress directories, particularly in plugin folders or upload directories
  • Unusual outbound network connections from the web server process
  • Modified or newly created files in the wp-content/plugins/cf-image-resizing/ directory
  • Suspicious REST API requests targeting Cloudflare Image Resizing plugin endpoints
  • Evidence of web shells or backdoor scripts in the WordPress installation

Detection Strategies

  • Monitor WordPress REST API access logs for unusual patterns targeting the Cloudflare Image Resizing plugin
  • Implement file integrity monitoring to detect unauthorized modifications or new PHP files
  • Review web application firewall (WAF) logs for PHP injection attempts in request parameters
  • Analyze server logs for unusual process spawning or command execution from web server processes
  • Deploy intrusion detection rules targeting common PHP webshell signatures

Monitoring Recommendations

  • Enable verbose logging for WordPress REST API requests
  • Implement real-time alerting for new PHP file creation in WordPress directories
  • Monitor for suspicious patterns in HTTP POST request bodies to REST endpoints
  • Track changes to plugin files using version control or file integrity monitoring solutions
  • Review server resource utilization for anomalies indicating cryptomining or other malicious activity

How to Mitigate CVE-2025-8723

Immediate Actions Required

  • Update the Cloudflare Image Resizing plugin to the latest patched version immediately
  • If unable to update, deactivate and remove the Cloudflare Image Resizing plugin until a patch can be applied
  • Conduct a thorough security audit of WordPress installations to identify any signs of compromise
  • Review and remove any suspicious PHP files or unauthorized modifications to the WordPress codebase
  • Consider temporarily restricting REST API access via .htaccess or web server configuration

Patch Information

Security patches addressing this vulnerability have been released by the plugin developers. The fixes are documented in the WordPress Plugin Changeset 3337593 and WordPress Plugin Changeset 3341917. Users should update to the latest version available from the WordPress Plugin Directory. Additional vulnerability details are available in the Wordfence Vulnerability Report.

Workarounds

  • Deactivate the Cloudflare Image Resizing plugin until the official patch can be applied
  • Implement Web Application Firewall (WAF) rules to block suspicious REST API requests containing PHP code patterns
  • Restrict access to the WordPress REST API from trusted IP addresses only using server-level configuration
  • Enable WordPress application-level security plugins that can detect and block code injection attempts
  • Consider using Cloudflare's native image resizing features directly without the WordPress plugin as an alternative
bash
# Configuration example - Restrict REST API access in .htaccess
# Add to WordPress .htaccess file to limit REST API access
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/cf-image-resizing/ [NC]
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\. [NC]
RewriteRule .* - [F,L]
</IfModule>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne