The Zephyr Project Manager WordPress plugin is vulnerable to a directory traversal flaw that allows authenticated users with Custom-level or higher access to retrieve the contents of arbitrary files on the server via the file parameter. This bug enables attackers to read sensitive data such as configuration files, credentials, or code, and, on servers with allow_url_fopen enabled, also permits Server‑Side Request Forgery, expanding the scope to external network resources. The weakness is identified as CWE‑22, indicating improper handling of user‑supplied paths, which can lead to confidentiality breaches.

This vulnerability affects all deployments of Zephyr Project Manager on WordPress up to and including version 3.3.203. Users of earlier versions should verify their plugin release and apply the latest update once released.

The CVSS score is 4.9, indicating a low overall severity, and the EPSS score is less than 1 %, showing a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires authentication and at least Custom‑level privileges, so an attacker must first compromise or compromise credentials. The potential for SSRF is contingent on the server configuration, specifically the allow_url_fopen setting. Overall, the risk can be mitigated by addressing the flaw rather than relying on post‑exploitation damage.