What the vulnerability does
01Description
The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.
Explanation of Vulnerability in Simple Terms
02Summary
The Cloudflare Image Resizing plugin for WordPress contains a code injection vulnerability that allows unauthenticated attackers to run arbitrary PHP code on affected sites. No user interaction or special privileges are required. The vulnerability affects all versions up to and including 1.5.6. Site administrators should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site without authentication.
Potential impact on your site
04Site Impact
Complete compromise of the site; attacker can read data, modify content, create backdoors, or take full control.
Conditions required to exploit
05Prerequisites
Network access only; no authentication, user interaction, or special configuration required.
Key dates
06Disclosure timeline
August 19, 2025
CVE published
April 8, 2026
Record updated