cleantalk
Vulnerabilities and Security Researches

Zephyr Project Manager, CVE-2025-12496

CVE, Research URL

CVE-2025-12496

Home page URL

Security reports for Zephyr Project Manager

Application

Zephyr Project Manager

Published on
Dec 17, 2025
Research Description
The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. On a servers that have `allow_url_fopen` enabled, this issue allows for Server-Side Request Forgery
Affected versions
max 3.3.204.
Status
vulnerable
Previous vulnerability researches
Zephyr Project Manager (CVE-2025-39552) , Apr 18, 2025
Zephyr Project Manager (CVE-2025-54714) , Sep 01, 2025
Zephyr Project Manager (CVE-2024-43322) , Aug 20, 2024
Zephyr Project Manager (CVE-2024-6536) , Aug 01, 2024
Zephyr Project Manager (CVE-2025-12496) , Jan 10, 2026
New vulnerability
OOPSpam Anti-Spam (CVE-2026-32544) , Mar 31, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2026-27042) , Mar 31, 2026
The Conference (CVE-2026-32335) , Mar 31, 2026
WP Booking System – Booking Calendar (CVE-2025-68515) , Mar 31, 2026
UPI QR Code Payment Gateway for WooCommerce (CVE-2025-67969) , Mar 31, 2026