CVE-2025-8385 is a path traversal vulnerability classified under CWE-22 affecting the PX-lab Zombify plugin for WordPress, specifically all versions up to and including 1.7.5. The vulnerability arises from insufficient input validation in the zf_get_file_by_url function, which fails to properly restrict pathname inputs to a safe directory. This flaw allows an authenticated attacker with subscriber-level privileges or higher to craft a malicious request that causes the plugin to read arbitrary files on the server filesystem. The attacker can potentially access sensitive system files such as /etc/passwd, which may contain user account information. However, exploitation relies on a race condition because the file generated by the plugin is deleted immediately after creation, requiring precise timing to successfully retrieve the file contents. The vulnerability has a CVSS 3.1 base score of 6.8, reflecting a medium severity level. The vector indicates network attack (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), scope changed (S:C), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). No public exploits have been reported yet, but the vulnerability poses a significant risk to confidentiality if exploited. The plugin is widely used in WordPress environments, making it a relevant threat to many web servers running this CMS with the Zombify plugin installed.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive server files, potentially exposing user credentials, configuration files, or other critical data. Since the attack requires authenticated access at subscriber level or above, organizations with large user bases or weak access controls are particularly vulnerable. The exposure of system files could facilitate further attacks, such as privilege escalation or lateral movement within the network. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach could result in regulatory non-compliance under GDPR, reputational damage, and financial penalties. Websites running WordPress with the Zombify plugin are common across Europe, especially in small to medium enterprises and public sector entities, increasing the scope of potential impact. The race condition exploitation complexity may limit widespread exploitation but does not eliminate risk, particularly from skilled attackers or insiders.

Organizations should immediately audit their WordPress installations to identify the presence of the Zombify plugin and its version. Until an official patch is released, restrict subscriber-level user permissions to the minimum necessary and monitor for unusual file access patterns or suspicious HTTP requests targeting the vulnerable function. Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts targeting the plugin's endpoints. Employ file integrity monitoring to detect unauthorized access or changes to sensitive files. Consider temporarily disabling or uninstalling the Zombify plugin if it is not essential. Once a patch becomes available, apply it promptly. Additionally, enforce strong authentication and session management controls to reduce the risk of credential compromise that could facilitate exploitation. Regularly review and update WordPress plugins to avoid similar vulnerabilities.