The WP Ghost security plugin for WordPress has a critical vulnerability that enables attackers to gain unauthorized access, leading to potential remote code execution. Found by researcher Dimas Maulana and identified as CVE-2025-26909, this vulnerability affects over 200,000 installations. It arises from insufficient URL input validation within the show's file function, particularly when the 'Change Paths' function is set to 'Lite' or 'Ghost' mode. This issue emphasizes the importance of updating to the patched version 5.4.02 issued on March 4, 2025, to safeguard against exploitation.
A serious vulnerability in the popular WordPress security plugin WP Ghost allows attackers to gain unauthorized website access.
This vulnerability is a Local File Inclusion (LFI) issue that can lead to Remote Code Execution (RCE), affecting more than 200,000 active installations.
The problem was resolved in the plugin's version 5.4.02, released on March 4, 2025, emphasizing the need for immediate updates.
Website administrators using WP Ghost are strongly advised to update to version 5.4.02 or higher as soon as possible to protect their websites against attacks.
Collection
[
|
...
]