Common WordPress safety plugin WP Ghost is susceptible to a important severity flaw that might permit unauthenticated attackers to remotely execute code and hijack servers.
WP Ghost is a well-liked safety add-on utilized in over 200,000 WordPress websites that says to prevent 140,000 hacker assaults and over 9 million brute-forcing makes an attempt each and every month.
It additionally gives coverage towards SQL injection, script injection, vulnerability exploitation, malware shedding, report inclusion exploits, listing traversal assaults, and cross-site scripting.
Alternatively, as printed by way of Patchstack, the protection instrument itself is susceptible to a important (CVSS rating: 9.6) faraway code execution (RCE) vulnerability that might lead to an entire web site takeover.
The flaw, tracked as CVE-2025-26909, affects all variations of WP Ghost as much as 5.4.01 and stems from inadequate enter validation within the ‘showFile()’ serve as. Exploiting the flaw may just permit attackers to come with arbitrary recordsdata by the use of manipulated URL paths.
The flaw is induced provided that WP Ghost’s “Alternate Paths” function is about to Lite or Ghost mode. Even though those modes aren’t enabled by way of default, Patchstack notes that the Native Record Inclusion (LFI) section applies to almost all setups.
“The vulnerability passed off because of inadequate consumer enter price by the use of the URL trail that can be integrated as a report,” reads Patchstack’s file.
“Because of the habits of the LFI case, this vulnerability may just result in Far flung Code Execution on nearly all the setting setup.”
Therefore, the vulnerability lets in LFI universally, however whether or not it escalates to RCE relies on the precise server configuration.
LFI with out RCE can nonetheless be bad via eventualities corresponding to data disclosure, consultation hijacking, log poisoning, get right of entry to to supply code, and denial of provider (DoS) assaults.
Following the invention of the flaw by way of researcher Dimas Maulana on February 25, 2025, Patchstack analyzed it internally and ultimately notified the seller on March 3.
On day after today, the builders of WP Ghost integrated a repair within the type of an extra validation at the equipped URL or trail from the customers.
The patch was once integrated on WP Ghost model 5.4.02, whilst model 5.4.03 has additionally been made to be had within the intervening time.
Customers are advisable to improve to both model to mitigate CVE-2025-26909.
In accordance with an research of 14M malicious movements, uncover the highest 10 MITRE ATT&CK ways in the back of 93% of assaults and shield towards them.