CVE-2025-6065 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) found in the 'Image Resizer On The Fly' WordPress plugin developed by wework4web. This vulnerability exists in all plugin versions up to and including 1.1. The flaw arises from insufficient validation of file paths in the plugin's 'delete' task, which is responsible for removing image files. Because the plugin does not properly restrict or sanitize the pathname input, an unauthenticated attacker can craft malicious requests to traverse directories and delete arbitrary files on the server. This can include sensitive files such as wp-config.php, which contains database credentials and other critical configuration data. Deletion of such files can lead to denial of service or facilitate remote code execution if attackers replace or manipulate files to execute arbitrary code. The vulnerability is remotely exploitable over the network without any authentication or user interaction, making it highly dangerous. The CVSS v3.1 base score is 9.1, reflecting the ease of exploitation and the severe impact on integrity and availability. Although no exploits have been reported in the wild yet, the vulnerability's nature and severity make it a high-priority risk for WordPress sites using this plugin. The lack of available patches at the time of disclosure increases the urgency for mitigation.

The impact of CVE-2025-6065 is significant for organizations running WordPress websites with the vulnerable 'Image Resizer On The Fly' plugin. Successful exploitation allows attackers to delete arbitrary files on the web server, which can disrupt website functionality and availability. Critical files like wp-config.php can be targeted, potentially exposing database credentials or enabling remote code execution, leading to full server compromise. This threatens the confidentiality, integrity, and availability of the affected systems. Organizations may face website downtime, data breaches, and loss of customer trust. Attackers could leverage this vulnerability to pivot within the network or deploy further malware. Given WordPress's widespread use globally, the vulnerability poses a broad risk to small businesses, enterprises, and hosting providers. The unauthenticated, remote nature of the exploit increases the likelihood of automated attacks and mass exploitation attempts once exploit code becomes available.

To mitigate CVE-2025-6065, organizations should immediately audit their WordPress installations for the presence of the 'Image Resizer On The Fly' plugin and its version. If an updated, patched version is released, apply it promptly. In the absence of an official patch, temporarily disable or uninstall the plugin to eliminate the attack surface. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting directory traversal patterns targeting the 'delete' task. Restrict file system permissions to limit the plugin's ability to delete files outside its intended directories. Monitor server logs for unusual file deletion activities or access patterns. Additionally, maintain regular backups of website files and databases to enable rapid recovery if files are deleted. Employ intrusion detection systems to alert on anomalous behavior. Finally, follow secure coding practices and validate all user inputs rigorously in custom plugins or themes to prevent similar vulnerabilities.