Arbitrary File Deletion in Image Resizer On The Fly Plugin for WordPress
CVE-2025-6065

9.1CRITICAL

Key Information:

Vendor: WordPress
Status: Image Resizer On The Fly
Vendor: CVE Published:; 14 June 2025

What is CVE-2025-6065?

The Image Resizer On The Fly plugin for WordPress suffers from a vulnerability that allows unauthenticated attackers to exploit insufficient file path validation in the 'delete' task. This security flaw exists in all versions up to and including 1.1, enabling attackers to delete arbitrary files on the server. If a sensitive file such as wp-config.php is targeted, this can lead to severe consequences including potential remote code execution.

Affected Version(s)

Image Resizer On The Fly * <= 1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/image-resizer-...

https://wordpress.org/plugins/image-resizer-on-the-fly/

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 14, 2025
Vulnerability Reserved
Jun 13, 2025

Credit

Youcef Hamdani