Skip to content
Medium Published: Dec 17, 2025

CVE-2025-12496

4.9 CVSS Score Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Export CVE-2025-12496 Data:
Share:
Link copied!

Description

The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. On a servers that have `allow_url_fopen` enabled, this issue allows for Server-Side Request Forgery

CVSS Vector Details

Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Weaknesses (CWE)

  • CWE-22

References & External Links

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

Related Vulnerabilities

CVE-2001-0054 CVSS 0 Same weakness: CWE-22 CVE-2001-0925 CVSS 0 Same weakness: CWE-22 CVE-2001-0780 CVSS 0 Same weakness: CWE-22 CVE-2001-1432 CVSS 0 Same weakness: CWE-22 CVE-2001-1205 CVSS 0 Same weakness: CWE-22

CVE History Timeline

Dec 17, 2025 08:15 New CVE Received
← Back to CVE Tracker