CVE-2025-6065: 
WordPress vulnerability analysis and mitigation

The Image Resizer On The Fly plugin for WordPress contains a critical vulnerability (CVE-2025-6065) discovered and disclosed on June 13, 2025. This vulnerability affects all versions up to and including version 1.1, leading to the plugin being temporarily closed pending a full security review (WordPress Plugin).

The vulnerability stems from insufficient file path validation in the 'delete' task functionality. It has been assigned a CVSS v3.1 score of 9.1 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) (NVD, Wiz).

The vulnerability allows unauthenticated attackers to delete arbitrary files on the server. This capability is particularly dangerous as it can lead to remote code execution when critical files, such as wp-config.php, are deleted (NVD).

The plugin has been temporarily closed and removed from the WordPress plugin repository as of June 13, 2025, pending a full security review. Users are advised to immediately remove this plugin from their WordPress installations (WordPress Plugin).