Fashionable WordPress safety plugin WP Ghost is weak to a crucial severity flaw that might enable unauthenticated attackers to remotely execute code and hijack servers.
WP Ghost is a well-liked safety add-on utilized in over 200,000 WordPress websites that claims to cease 140,000 hacker assaults and over 9 million brute-forcing makes an attempt each month.
It additionally provides safety towards SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, listing traversal assaults, and cross-site scripting.
Nevertheless, as revealed by Patchstack, the safety software itself is weak to a crucial (CVSS rating: 9.6) distant code execution (RCE) vulnerability that might lead to an entire web site takeover.
The flaw, tracked as CVE-2025-26909, impacts all variations of WP Ghost as much as 5.4.01 and stems from inadequate enter validation within the ‘showFile()’ operate. Exploiting the flaw might enable attackers to embody arbitrary recordsdata through manipulated URL paths.
The flaw is triggered provided that WP Ghost’s “Change Paths” characteristic is ready to Lite or Ghost mode. Though these modes will not be enabled by default, Patchstack notes that the Native File Inclusion (LFI) half applies to just about all setups.
“The vulnerability occurred as a consequence of inadequate person enter worth through the URL path that will likely be included as a file,” reads Patchstack’s report.
“As a result of conduct of the LFI case, this vulnerability might result in Distant Code Execution on nearly the entire setting setup.”
Therefore, the vulnerability permits LFI universally, however whether or not it escalates to RCE will depend on the particular server configuration.
LFI with out RCE can nonetheless be harmful by eventualities reminiscent of data disclosure, session hijacking, log poisoning, entry to supply code, and denial of service (DoS) assaults.
Following the invention of the flaw by researcher Dimas Maulana on February 25, 2025, Patchstack analyzed it internally and finally notified the seller on March 3.
On the subsequent day, the builders of WP Ghost integrated a repair within the type of an extra validation on the provided URL or path from the customers.
The patch was integrated on WP Ghost model 5.4.02, whereas model 5.4.03 has additionally been made obtainable within the meantime.
Customers are advisable to improve to both model to mitigate CVE-2025-26909.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend towards them.
