CVE-2025-8385 is a path traversal vulnerability classified under CWE-22 affecting the PX-lab Zombify plugin for WordPress, versions up to and including 1.7.5. The root cause is insufficient input validation in the zf_get_file_by_url function, which fails to properly restrict file pathnames to authorized directories. This flaw allows an authenticated attacker with subscriber-level privileges or higher to manipulate file path parameters to access arbitrary files on the server filesystem. The vulnerability is exploitable remotely over the network without user interaction but requires authentication at a low privilege level. A race condition is involved because the plugin generates a temporary file that is deleted immediately, so the attacker must time the request precisely to read the file contents before deletion. The impact is primarily on confidentiality, as attackers can read sensitive system files such as /etc/passwd, potentially leading to further attacks or information disclosure. The CVSS 3.1 base score of 6.8 reflects medium severity, with high attack complexity due to the race condition, no integrity or availability impact, and a scope change since the vulnerability affects the underlying system beyond the plugin itself. No patches or known exploits have been reported at the time of publication, but the vulnerability poses a significant risk to WordPress sites using this plugin if left unmitigated.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive system files and configuration data, potentially exposing user credentials, system configurations, or other confidential information. This exposure could facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of other vulnerabilities. Organizations relying on WordPress sites with the PX-lab Zombify plugin are at risk of data breaches and compliance violations, especially under GDPR regulations that mandate protection of personal data. The requirement for authenticated access lowers the risk somewhat but does not eliminate it, as subscriber-level accounts are common and may be compromised or created by attackers. The race condition adds complexity to exploitation but does not prevent it. The vulnerability does not impact system integrity or availability directly but compromises confidentiality, which can have cascading effects on organizational security posture.

1. Immediately upgrade the PX-lab Zombify plugin to a version that addresses this vulnerability once available. 2. Until a patch is released, restrict subscriber-level access and review user roles to minimize the number of users with such privileges. 3. Implement web application firewall (WAF) rules to detect and block suspicious path traversal patterns targeting the zf_get_file_by_url function. 4. Monitor server logs for unusual file access attempts or race condition exploitation patterns. 5. Harden the server filesystem permissions to limit the plugin’s ability to access sensitive files outside its intended directories. 6. Employ intrusion detection systems (IDS) to alert on anomalous file read operations. 7. Conduct regular security audits of WordPress plugins and remove or replace those that are unmaintained or vulnerable. 8. Educate administrators and users about the risks of low-privilege account compromise and enforce strong authentication mechanisms.