{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8385", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-30T18:45:04.999Z", "datePublished": "2025-10-31T07:26:40.967Z", "dateUpdated": "2026-04-08T17:31:58.744Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:58.744Z"}, "affected": [{"vendor": "PX-lab", "product": "Zombify", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zombify plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5. This is due to insufficient input validation in the zf_get_file_by_url function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read arbitrary files on the server, including sensitive system files like /etc/passwd, via a forged request. It's worth noting that successfully exploiting this vulnerability relies on a race condition as the file generated will be deleted immediately."}], "title": "Zombify <= 1.7.5 - Authenticated (Subscriber+) Path Traversal to Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef9010e3-f060-4bef-b62b-4a648f5e5577?source=cve"}, {"url": "https://themeforest.net/item/boombox-viral-buzz-wordpress-theme/16596434"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "timeline": [{"time": "2025-10-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-31T17:20:56.776678Z", "id": "CVE-2025-8385", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-01T15:36:09.256Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8385", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-31T17:20:56.776678Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-31T17:21:56.215Z"}}], "cna": {"title": "Zombify <= 1.7.5 - Authenticated (Subscriber+) Path Traversal to Arbitrary File Read", "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}}], "affected": [{"vendor": "PX-lab", "product": "Zombify", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-30T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef9010e3-f060-4bef-b62b-4a648f5e5577?source=cve"}, {"url": "https://themeforest.net/item/boombox-viral-buzz-wordpress-theme/16596434"}], "descriptions": [{"lang": "en", "value": "The Zombify plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5. This is due to insufficient input validation in the zf_get_file_by_url function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read arbitrary files on the server, including sensitive system files like /etc/passwd, via a forged request. It's worth noting that successfully exploiting this vulnerability relies on a race condition as the file generated will be deleted immediately."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:58.744Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8385", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:58.744Z", "dateReserved": "2025-07-30T18:45:04.999Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-31T07:26:40.967Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zombify plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5. This is due to insufficient input validation in the zf_get_file_by_url function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read arbitrary files on the server, including sensitive system files like /etc/passwd, via a forged request. It's worth noting that successfully exploiting this vulnerability relies on a race condition as the file generated will be deleted immediately."}], "id": "CVE-2025-8385", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.0, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-31T08:15:36.777", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/boombox-viral-buzz-wordpress-theme/16596434"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef9010e3-f060-4bef-b62b-4a648f5e5577?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:06:43.624181+00:00", "value": {"mitigation_remediation": ["Upgrade the Zombify plugin to the latest version that removes the path traversal vulnerability", "If an upgrade is not yet available, disable the plugin or remove it entirely to eliminate the vulnerable code path", "Limit the ability for subscriber+ and higher roles to execute the zf_get_file_by_url functionality, for example by adjusting role permissions or employing a content restriction plugin", "Monitor web server and application logs for unexpected file read attempts and block IP addresses that exhibit suspicious behavior"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Read via Path Traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts PX\u2011lab Zombify plugin for WordPress, specifically all releases up to and including version 1.7.5. Any installation using these versions is susceptible when a subscriber+ or higher user is able to trigger the zf_get_file_by_url functionality.", "description_and_impact": "The Zombify WordPress plugin is vulnerable to a path traversal flaw due to lack of input validation in the zf_get_file_by_url function. Authenticated users with subscriber-level privileges or higher can craft a request that causes the plugin to read arbitrary files on the server, including sensitive files such as /etc/passwd. The race condition means the generated file is deleted immediately, but the disclosure of its contents still allows an attacker to gain information about the system or user credentials. This results in information disclosure and could be leveraged for further attacks if the data is critical.", "risk_and_exploitability": "With a CVSS score of 6.8 the flaw is considered moderate in severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The exploitation requires an authenticated user with subscriber-level access who can issue a forged request to invoke the vulnerable function; the race condition causing immediate file deletion may limit the economic value of the attack but still provides valuable information to an attacker. Overall the risk is moderate but the potential impact of leaked configuration or system data warrants prompt attention."}}}}, "created": "2025-11-03T10:45:06.451370+00:00", "updated": "2026-04-20T19:15:15.045206+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}