CVE-2025-8723

CRITICAL

Cloudflare Image Resizing <1.5.6 - RCE

Title source: llm

Description

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.

Exploits (2)

nomisec WORKING POC 7 stars

by Nxploited · poc

https://github.com/Nxploited/CVE-2025-8723

View Code ZIP pw:eip

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-8723

View Code ZIP pw:eip

References (4)

[Product] https://plugins.trac.wordpress.org/changeset/3337593/

[Product] https://plugins.trac.wordpress.org/changeset/3341917/

[Product] https://wordpress.org/plugins/cf-image-resizing/#developers

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/0f3b3c1a-1d45-4e2f-854a-171fe759257b?source=cve

Scores

CVSS v3 9.8

EPSS 0.0114

EPSS Percentile 78.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-94

Status draft

Timeline

Published Aug 19, 2025

Tracked Since Feb 18, 2026