In style WordPress security plugin WP Ghost is susceptible to a crucial severity flaw that would enable unauthenticated attackers to remotely execute code and hijack servers.
WP Ghost is a well-liked security add-on utilized in over 200,000 WordPress websites that claims to cease 140,000 hacker assaults and over 9 million brute-forcing makes an attempt each month.
It additionally provides safety towards SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, listing traversal assaults, and cross-site scripting.
Nevertheless, as revealed by Patchstack, the security device itself is susceptible to a crucial (CVSS rating: 9.6) distant code execution (RCE) vulnerability that would lead to a whole web site takeover.
The flaw, tracked as CVE-2025-26909, impacts all variations of WP Ghost as much as 5.4.01 and stems from inadequate enter validation within the ‘showFile()’ perform. Exploiting the flaw might enable attackers to embody arbitrary information by way of manipulated URL paths.
The flaw is triggered provided that WP Ghost’s “Change Paths” function is about to Lite or Ghost mode. Though these modes should not enabled by default, Patchstack notes that the Native File Inclusion (LFI) half applies to almost all setups.
“The vulnerability occurred on account of inadequate person enter worth by way of the URL path that will probably be included as a file,” reads Patchstack’s report.
“As a result of conduct of the LFI case, this vulnerability might result in Distant Code Execution on nearly all the surroundings setup.”
Therefore, the vulnerability permits LFI universally, however whether or not it escalates to RCE will depend on the particular server configuration.
LFI with out RCE can nonetheless be harmful by way of eventualities akin to data disclosure, session hijacking, log poisoning, entry to supply code, and denial of service (DoS) assaults.
Following the invention of the flaw by researcher Dimas Maulana on February 25, 2025, Patchstack analyzed it internally and finally notified the seller on March 3.
On the following day, the builders of WP Ghost included a repair within the type of a further validation on the equipped URL or path from the customers.
The patch was included on WP Ghost model 5.4.02, whereas model 5.4.03 has additionally been made accessible within the meantime.
Customers are really helpful to improve to both model to mitigate CVE-2025-26909.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and find out how to defend towards them.
