CVE-2025-8723 CRITICAL

CVE-2025-8723: Cloudflare Image Resizing <= 1.5.6 - Missing Authentication to Unauthenticated Remote Code Execution via rest_pre_dispatch Hook

Vendor Mecanik
Product Cloudflare Image Resizing – Optimize & Accelerate Your Images
Weakness CWE-94 · Code injection
Published August 19, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

The Cloudflare Image Resizing plugin for WordPress contains a code injection vulnerability that allows unauthenticated attackers to run arbitrary PHP code on affected sites. No user interaction or special privileges are required. The vulnerability affects all versions up to and including 1.5.6. Site administrators should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site without authentication.

Potential impact on your site

04Site Impact

Complete compromise of the site; attacker can read data, modify content, create backdoors, or take full control.

Conditions required to exploit

05Prerequisites

Network access only; no authentication, user interaction, or special configuration required.

Key dates

06Disclosure timeline

August 19, 2025 CVE published
April 8, 2026 Record updated