CVE-2025-6065 is a critical security vulnerability identified in the WordPress plugin 'Image Resizer On The Fly' developed by wework4web. This plugin, used for dynamically resizing images, suffers from a path traversal flaw (CWE-22) in its 'delete' task functionality. The vulnerability arises due to improper validation of file paths, allowing an unauthenticated attacker to specify arbitrary file paths outside the intended directory. Consequently, attackers can delete arbitrary files on the web server hosting the WordPress site. Since the plugin does not require authentication or user interaction to exploit this flaw, it is trivially exploitable remotely over the network. The impact is severe because deleting critical files such as 'wp-config.php' can lead to remote code execution, complete site compromise, or denial of service. The CVSS v3.1 base score is 9.1, reflecting the high impact on integrity and availability, with no confidentiality loss directly but potential indirect consequences. The vulnerability affects all versions of the plugin up to and including 1.1, and as of the published date (June 14, 2025), no official patches have been released. Although no known exploits are currently observed in the wild, the low complexity and lack of required privileges make it a prime target for attackers. This vulnerability represents a critical risk for WordPress sites using this plugin, especially those exposed to the internet without additional protective controls.

For European organizations, this vulnerability poses a significant threat to the integrity and availability of WordPress-based web assets. Many European businesses, government agencies, and NGOs rely on WordPress for their web presence, often using plugins like Image Resizer On The Fly for media management. Exploitation could lead to arbitrary file deletion, resulting in website outages, data loss, or full site compromise through remote code execution. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance, especially under GDPR if personal data is exposed or lost. The ease of exploitation without authentication increases the risk of automated mass scanning and attacks targeting vulnerable sites. Organizations in sectors with high web presence such as e-commerce, media, and public services are particularly vulnerable. Additionally, the potential for remote code execution could be leveraged to pivot into internal networks, escalating the impact beyond the web server. Given the criticality and the widespread use of WordPress in Europe, the threat could affect a large number of organizations, leading to significant operational and financial consequences.

1. Immediate removal or disabling of the 'Image Resizer On The Fly' plugin until a secure patched version is released. 2. Implement Web Application Firewall (WAF) rules to detect and block requests containing suspicious path traversal patterns targeting the 'delete' task parameter. 3. Restrict file system permissions for the web server user to limit the scope of deletable files, ensuring critical configuration files like wp-config.php are not writable or deletable by the web process. 4. Monitor web server logs for unusual DELETE requests or access patterns indicative of exploitation attempts. 5. Employ network-level protections such as IP reputation filtering and rate limiting to reduce exposure to automated attacks. 6. Conduct a thorough audit of all WordPress plugins and remove or replace those that are unmaintained or have known vulnerabilities. 7. Prepare an incident response plan specifically for web server compromises involving file deletion or code execution. 8. Once available, promptly apply official patches from the plugin vendor and verify the fix through testing. 9. Educate web administrators on the risks of installing plugins from unverified sources and the importance of timely updates.