The Zombify WordPress plugin is vulnerable to a path traversal flaw due to lack of input validation in the zf_get_file_by_url function. Authenticated users with subscriber-level privileges or higher can craft a request that causes the plugin to read arbitrary files on the server, including sensitive files such as /etc/passwd. The race condition means the generated file is deleted immediately, but the disclosure of its contents still allows an attacker to gain information about the system or user credentials. This results in information disclosure and could be leveraged for further attacks if the data is critical.

The vulnerability impacts PX‑lab Zombify plugin for WordPress, specifically all releases up to and including version 1.7.5. Any installation using these versions is susceptible when a subscriber+ or higher user is able to trigger the zf_get_file_by_url functionality.

With a CVSS score of 6.8 the flaw is considered moderate in severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The exploitation requires an authenticated user with subscriber-level access who can issue a forged request to invoke the vulnerable function; the race condition causing immediate file deletion may limit the economic value of the attack but still provides valuable information to an attacker. Overall the risk is moderate but the potential impact of leaked configuration or system data warrants prompt attention.