{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12496", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-29T21:34:11.697Z", "datePublished": "2025-12-17T07:21:00.830Z", "dateUpdated": "2026-04-08T16:43:40.238Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:40.238Z"}, "affected": [{"vendor": "dylanjkotze", "product": "Zephyr Project Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.203", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. On a servers that have `allow_url_fopen` enabled, this issue allows for Server-Side Request Forgery"}], "title": "Zephyr Project Manager <= 3.3.203 - Authenticated (Custom+) Arbitrary File Read And Server-Side Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b4b0640-d61a-4969-a5c0-d2d709fb56d0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Base/AjaxHandler.php#L3506"}, {"url": "https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Core/Projects.php#L1870"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2025-10-21T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-29T21:54:58.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-16T18:43:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T21:43:09.605954Z", "id": "CVE-2025-12496", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:43:20.916Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T21:43:09.605954Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:43:15.575Z"}}], "cna": {"title": "Zephyr Project Manager <= 3.3.203 - Authenticated (Custom+) Arbitrary File Read And Server-Side Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "dylanjkotze", "product": "Zephyr Project Manager", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.3.203"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-21T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-10-29T21:54:58.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-16T18:43:41.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b4b0640-d61a-4969-a5c0-d2d709fb56d0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Base/AjaxHandler.php#L3506"}, {"url": "https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Core/Projects.php#L1870"}], "descriptions": [{"lang": "en", "value": "The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. On a servers that have `allow_url_fopen` enabled, this issue allows for Server-Side Request Forgery"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-17T07:21:00.830Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12496", "state": "PUBLISHED", "dateUpdated": "2025-12-17T21:43:20.916Z", "dateReserved": "2025-10-29T21:34:11.697Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-17T07:21:00.830Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. On a servers that have `allow_url_fopen` enabled, this issue allows for Server-Side Request Forgery"}], "id": "CVE-2025-12496", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-17T08:15:42.787", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Base/AjaxHandler.php#L3506"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Core/Projects.php#L1870"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b4b0640-d61a-4969-a5c0-d2d709fb56d0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:30:25.422868+00:00", "value": {"mitigation_remediation": ["Upgrade Zephyr Project Manager to the latest release (3.3.204 or later).", "Restrict the file parameter by validating that it references only permitted directories and disallow traversal characters.", "Disable allow_url_fopen in the PHP configuration to prevent Server\u2011Side Request Forgery unless it is required by other applications."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all deployments of Zephyr Project Manager on WordPress up to and including version 3.3.203. Users of earlier versions should verify their plugin release and apply the latest update once released.", "description_and_impact": "The Zephyr Project Manager WordPress plugin is vulnerable to a directory traversal flaw that allows authenticated users with Custom-level or higher access to retrieve the contents of arbitrary files on the server via the file parameter. This bug enables attackers to read sensitive data such as configuration files, credentials, or code, and, on servers with allow_url_fopen enabled, also permits Server\u2011Side Request Forgery, expanding the scope to external network resources. The weakness is identified as CWE\u201122, indicating improper handling of user\u2011supplied paths, which can lead to confidentiality breaches.", "risk_and_exploitability": "The CVSS score is 4.9, indicating a low overall severity, and the EPSS score is less than 1\u202f%, showing a very low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Exploitation requires authentication and at least Custom\u2011level privileges, so an attacker must first compromise or compromise credentials. The potential for SSRF is contingent on the server configuration, specifically the allow_url_fopen setting. Overall, the risk can be mitigated by addressing the flaw rather than relying on post\u2011exploitation damage."}}}}, "created": "2025-12-17T14:28:31.505759+00:00", "updated": "2026-04-22T20:30:26.775305+00:00", "vendors": ["dylanjkotze", "dylanjkotze$PRODUCT$zephyr_project_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}