How to fix EUVD-2025-18325?

Within 24 hours: Identify all WordPress instances using Image Resizer On The Fly plugin and disable or remove it immediately. Within 7 days: Conduct file integrity audits on affected servers to detect unauthorized deletions, particularly wp-config.php and other critical files. Within 30 days: Implement a plugin governance process requiring security vetting before deployment and establish automated vulnerability scanning for all WordPress plugins.

Is PHP affected by EUVD-2025-18325?

An unauthenticated attacker can delete arbitrary files from WordPress servers running the Image Resizer On The Fly plugin (versions ≤1.1), potentially leading to complete system compromise or service disruption.

EUVD-2025-18325

| CVE-2025-6065 CRITICAL

2025-06-14 [email protected]

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:53 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:53 euvd

EUVD-2025-18325

CVE Published

Jun 14, 2025 - 09:15 nvd

CRITICAL 9.1

Description

The Image Resizer On The Fly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' task in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Analysis

The Image Resizer On The Fly WordPress plugin (versions ≤1.1) contains a critical arbitrary file deletion vulnerability in its 'delete' task that allows unauthenticated attackers to remove arbitrary files from the server without authentication. This vulnerability can facilitate remote code execution by deleting critical files such as wp-config.php, leading to complete WordPress installation compromise. With a CVSS score of 9.1 and network-accessible attack vector requiring no user interaction or privileges, this represents a critical risk to all unpatched installations.

Technical Context

The vulnerability stems from insufficient input validation in the plugin's file deletion functionality (CWE-22: Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'). The 'delete' task parameter fails to properly sanitize or validate file paths before deletion operations, allowing attackers to traverse directory structures using path traversal sequences (e.g., '../../../') to reach files outside intended directories. The affected product is the 'Image Resizer On The Fly' plugin for WordPress (CPE: wordpress:image_resizer_on_the_fly), which handles image manipulation and file management. WordPress plugins execute with the same privileges as the WordPress installation, making file deletion a direct path to system compromise. The vulnerability exists because the plugin does not implement proper whitelist validation, canonicalization, or chroot jailing of file paths before performing delete operations.

Affected Products

- vendor: wordpress; product: image_resizer_on_the_fly; versions: up to and including 1.1; affected_scope: All installations; cpe: cpe:2.3:a:wordpress:image_resizer_on_the_fly:*:*:*:*:*:wordpress:*:*

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +3.7

CVSS: +46

POC: 0

EUVD-2025-18325 vulnerability details – vuln.today

Back

EUVD-2025-18325

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-18325

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code