What the vulnerability does
01Description
The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. On a servers that have `allow_url_fopen` enabled, this issue allows for Server-Side Request Forgery
Explanation of Vulnerability in Simple Terms
02Summary
Zephyr Project Manager versions 3.3.203 and earlier contain a path traversal vulnerability that allows authenticated administrators to read arbitrary files from the server. An attacker with high-level privileges can bypass directory restrictions and access sensitive files outside the intended application directory. This vulnerability requires administrative access and does not affect data integrity or availability.
What an attacker can do
03Attacker Capabilities
Read arbitrary files on the server outside the application directory.
Potential impact on your site
04Site Impact
Administrators with malicious intent or compromised admin accounts can access sensitive files like configuration files, database credentials, or private keys.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level privileges on the application.
Key dates
06Disclosure timeline
December 17, 2025
CVE published
April 8, 2026
Record updated