CVE-2025-8723: 
WordPress vulnerability analysis and mitigation

The Cloudflare Image Resizing plugin for WordPress contains a critical Remote Code Execution (RCE) vulnerability (CVE-2025-8723) affecting all versions up to and including 1.5.6. The vulnerability stems from missing authentication and insufficient sanitization within the hookrestpre_dispatch() method, allowing unauthenticated attackers to inject arbitrary PHP code into the codebase (NVD).

The vulnerability is classified with a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is categorized as CWE-94 (Improper Control of Generation of Code - 'Code Injection'). The vulnerability exists in the hookrestpre_dispatch() method where insufficient input validation and missing authentication controls allow for arbitrary PHP code injection (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary code on the server, which could lead to complete system compromise. Attackers can potentially inject backdoors, create administrative user accounts, and gain full control over the affected WordPress installation (NVD).

The vulnerability has been patched in version 1.5.7 of the Cloudflare Image Resizing plugin. Users are strongly advised to update to this version immediately. The update includes patches for CVE-2025-8723 and implements additional hardening measures to enhance overall plugin security and input validation (WordPress Plugin).