The PX-lab Zombify WordPress plugin contains a path traversal vulnerability identified as CVE-2025-8385, affecting all versions up to and including 1.7.5. The root cause is insufficient input validation in the zf_get_file_by_url function, which fails to properly restrict pathname inputs to a safe directory. Authenticated attackers with subscriber-level privileges or higher can craft malicious requests that traverse directories and access arbitrary files on the server filesystem. The vulnerability is complicated by a race condition: the file targeted by the traversal is generated temporarily and deleted immediately, requiring precise timing to exploit successfully. This flaw allows attackers to read sensitive files such as /etc/passwd, potentially exposing user account information and system details. The vulnerability does not allow modification or deletion of files, nor does it cause denial of service. Exploitation requires network access and authentication but no additional user interaction. The CVSS 3.1 base score is 6.8, reflecting a medium severity with a high impact on confidentiality, no impact on integrity or availability, and a high attack complexity. No public exploits have been reported yet, but the vulnerability poses a significant risk to affected WordPress sites using this plugin.

This vulnerability primarily impacts the confidentiality of affected systems by allowing unauthorized reading of arbitrary files, including sensitive system files. Exposure of files like /etc/passwd can aid attackers in further reconnaissance and potential privilege escalation. While the vulnerability does not directly affect integrity or availability, the information disclosure can facilitate more advanced attacks. Organizations running WordPress sites with the Zombify plugin installed are at risk of data leakage, which can lead to reputational damage, compliance violations, and increased attack surface. The requirement for authenticated access limits the scope somewhat, but subscriber-level access is commonly granted to many users, increasing the risk in multi-user environments. The race condition exploitation complexity may reduce the likelihood of widespread automated attacks but does not eliminate targeted exploitation risks. Without timely mitigation, attackers could leverage this vulnerability to gain sensitive information and plan subsequent attacks.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from PX-lab addressing CVE-2025-8385. If no patch is available, temporarily disabling or removing the Zombify plugin is recommended. Implement strict access controls to limit subscriber-level privileges to trusted users only. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns targeting the zf_get_file_by_url function. Monitor server logs for unusual file access attempts and race condition exploitation indicators. Consider isolating WordPress installations in containers or sandboxes to limit filesystem exposure. Additionally, conduct regular security audits of plugins and restrict plugin installations to those from trusted sources. Educate administrators and users about the risks of granting unnecessary privileges. Finally, implement file integrity monitoring to detect unauthorized file reads or changes.