CVE-2025-8385 – Zombify

CVE ID : CVE-2025-8385

Published : Oct. 31, 2025, 8:15 a.m. | 1 hour, 11 minutes ago

Description : The Zombify plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5. This is due to insufficient input validation in the zf_get_file_by_url function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read arbitrary files on the server, including sensitive system files like /etc/passwd, via a forged request. It’s worth noting that successfully exploiting this vulnerability relies on a race condition as the file generated will be deleted immediately.

Severity: 6.8 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…