CVE-2025-8385

Name of the Vulnerable Software and Affected Versions WordPress Zombify plugin versions up to and including 1.7.5

Description The Zombify plugin for WordPress is susceptible to a Path Traversal issue. This is caused by inadequate input validation within the zf get file by url function. Authenticated attackers with subscriber-level access or higher can potentially read arbitrary files on the server, including sensitive system files like /etc/passwd, by submitting a crafted request. Exploitation of this issue is dependent on a race condition, as the generated file is immediately deleted.

Recommendations Update WordPress Zombify plugin to a version later than 1.7.5.