Scan free
MEDIUMCVE-2025-8385CVSS 6.8

CVE-2025-8385: Path Traversal in Zombify WordPress Plugin

Platform

wordpress

Component

zombify

Fixed in

1.7.6

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-8385 describes a Path Traversal vulnerability affecting the Zombify WordPress plugin. This flaw allows authenticated attackers, even those with subscriber-level access, to potentially read sensitive files on the server. The vulnerability exists in versions 1.0.0 through 1.7.5 of the plugin and requires a race condition for successful exploitation. A fix is expected in a future release.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of CVE-2025-8385 is the unauthorized disclosure of sensitive information. An attacker exploiting this vulnerability could read arbitrary files on the server, potentially including configuration files, database credentials, or even system files like /etc/passwd. While the vulnerability requires a race condition, successful exploitation could lead to significant data breaches and compromise the integrity of the WordPress environment. The ability to read system files could also provide attackers with valuable reconnaissance data for further attacks, such as privilege escalation or lateral movement within the network.

Exploitation Context

CVE-2025-8385 was publicly disclosed on 2025-10-31. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The race condition requirement may limit the ease of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.11% (30% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N6.8MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentzombify
VendorPX-lab
Affected rangeFixed in
0 – 1.7.51.7.6

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 205 days since disclosure

Mitigation and Workarounds

The recommended mitigation for CVE-2025-8385 is to upgrade the Zombify plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing stricter input validation on the WordPress application, and using a Web Application Firewall (WAF) to filter out malicious requests. Monitor WordPress logs for suspicious activity, particularly requests targeting files outside the plugin's intended directory. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via a forged request and verifying that access is denied.

How to fix

Update the Zombify plugin to a patched version (posterior to 1.7.5). This update addresses the path traversal vulnerability by properly validating user input, preventing unauthorized access to sensitive files on the server.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-8385 — Path Traversal in Zombify WordPress Plugin?

CVE-2025-8385 is a Path Traversal vulnerability affecting the Zombify WordPress plugin versions 1.0.0–1.7.5, allowing authenticated attackers to read arbitrary files.

Am I affected by CVE-2025-8385 in Zombify WordPress Plugin?

You are affected if your WordPress site uses the Zombify plugin in versions 1.0.0 through 1.7.5. Upgrade as soon as a patch is available.

How do I fix CVE-2025-8385 in Zombify WordPress Plugin?

Upgrade the Zombify plugin to a patched version. Until then, implement temporary workarounds like restricting file access and using a WAF.

Is CVE-2025-8385 being actively exploited?

Currently, there are no known active campaigns exploiting CVE-2025-8385, but it's crucial to apply the fix to prevent future attacks.

Where can I find the official Zombify advisory for CVE-2025-8385?

Check the Zombify plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-8385.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs