Critical Vulnerability in WP Ghost Plugin Exposes Over 200,000 Websites to Hacker Attacks
WordPress is one of the most popular content management systems (CMS) today, with various plugins designed to enhance its security. One such plugin is WP Ghost, which is intended to strengthen website security and has over 200,000 active installations. However, cybersecurity experts recently discovered a serious vulnerability in it.
This vulnerability has been registered under the identifier CVE-2025-26909 and has received a CVSS 3.1 score of 9.6, classifying it as critical. The flaw is related to Local File Inclusion (LFI), allowing attackers to execute Remote Code Execution (RCE). This means that hackers can send specially crafted requests to execute malicious scripts on a vulnerable site.
Vulnerability Details
🔹 Type: Local File Inclusion (LFI) leading to Remote Code Execution (RCE)
🔹 ID: CVE-2025-26909
🔹 Severity Level: Critical (9.6 CVSS)
🔹 Affected Versions: WP Ghost 5.4.01 and earlier
🔹 Fixed Version: 5.4.02, released on March 4, 2025
🔹 Exploitation Requirements: The “Change Paths” function must be enabled in Lite or Ghost mode
This vulnerability was discovered by Dimas Maulana, a researcher from Patchstack Alliance. He found that the issue lies within the showFile function, which processes file-related requests but does not adequately validate incoming parameters.
According to the Patchstack team:
“WP Ghost had an unauthenticated Local File Inclusion vulnerability. This flaw occurred due to improper validation of user-supplied URL paths.“
Technical Analysis
The maybeShowNotFound function, linked to the template_redirect event, can be triggered by unauthenticated users. If a visitor accesses an incorrect URL, this function executes, creating a pathway for exploitation.
Attackers can:
- Manipulate file paths,
- Use php://filter stream wrappers,
- Exploit the PHP_SESSION_UPLOAD_PROGRESS technique to execute arbitrary code on the server.
Potential Consequences of the Vulnerability
✅ Complete takeover of the website – Hackers could gain administrative access.
✅ Theft of confidential data – User credentials, passwords, cookies, and other sensitive information may be exposed.
✅ Injection of malicious software – The website could be used to distribute harmful scripts to visitors.
How to Protect Against the Attack?
WordPress site owners using the WP Ghost plugin should immediately take the following security measures:
✅ Update the WP Ghost plugin to version 5.4.02 or later.
✅ Check your website for signs of compromise. Review web server logs for suspicious requests or code injection attempts.
✅ Implement additional security measures. Enable Web Application Firewall (WAF) or use other security plugins.
✅ Use only necessary plugins and keep them up to date.
The Patchstack team reported this issue to WP Ghost developer John Darrel on March 3, 2025. Within 24 hours, he released an updated version addressing the problem.
Security Fixes Implemented
The WP Ghost developers have enhanced input validation for user-supplied URLs and file paths, significantly reducing the risk of malicious file uploads and unauthorized access.
WordPress plugin vulnerabilities remain a major attack vector for cybercriminals. The CVE-2025-26909 flaw is a reminder of how crucial it is to update plugins promptly to prevent potential website takeovers.
WordPress users must:
- Regularly update their plugins,
- Monitor for suspicious activity,
- Implement additional security measures.
This incident reinforces the importance of:
“Website security is an ongoing process. Every system and plugin must be regularly checked and updated!”
