Critical Vulnerability in WP Ghost Plugin Exposes Over 200,000 WordPress Sites to Remote Code Execution
A significant security flaw has been identified in WP Ghost, a widely used WordPress security plugin with over 200,000 active installations. This high-severity vulnerability, designated as CVE-2025-26909 with a CVSS score of 9.6, enables unauthenticated attackers to exploit a Local File Inclusion (LFI) weakness, potentially leading to Remote Code Execution (RCE). Website administrators are strongly advised to update immediately to version 5.4.02 or later to mitigate this critical security risk.
Understanding the Vulnerability
The vulnerability was discovered by Dimas Maulana, a security researcher at Patchstack Alliance. It resides in the WP Ghost plugin’s file handling functionality, specifically within the `showFile` function. The flaw arises from insufficient validation of user input via URL paths that can be included as files. This oversight allows unauthenticated users to perform path traversal and include arbitrary files on the server.
The issue is triggered when the `maybeShowNotFound` function is hooked to `template_redirect`, accessible by unauthenticated users. If a path accessed by such a user is not found, it initiates the vulnerable code path, ultimately enabling attackers to exploit the LFI vulnerability.
Risk Factors and Impact
– Affected Products: WP Ghost plugin (versions up to 5.4.01), with over 200,000 active installations.
– Impact: Remote Code Execution (RCE).
– Exploit Prerequisites: Requires the “Change Paths” feature to be set to Lite or Ghost mode.
– CVSS 3.1 Score: 9.6 (Critical severity).
While exploiting this vulnerability requires the Change Paths feature in WP Ghost to be set to Lite or Ghost mode (not enabled by default), when exploitable, it allows attackers to leverage several techniques to achieve RCE, including `php://` filter chains and `PHP_SESSION_UPLOAD_PROGRESS` tricks. This type of LFI vulnerability is particularly dangerous because it provides a direct path to executing malicious code on affected websites.
Mitigation Steps
Upon notification on March 3, 2025, the plugin developer, John Darrel, promptly released version 5.4.02 on March 4 to address the vulnerability. The patch implements additional validation on user-supplied URLs and paths to prevent exploitation.
For WordPress site administrators using WP Ghost, immediate action is recommended:
– Update to WP Ghost version 5.4.02 or later: Ensure your site is running the latest version to benefit from the security patch.
– Verify your site’s integrity: Check for any signs of compromise if you’ve been running a vulnerable version.
– Implement additional security measures: Consider enhancing your site’s security posture, especially if you manage critical websites.
The WordPress security community emphasizes the importance of collaboration between plugin developers and security researchers to address vulnerabilities efficiently. Programs like the Managed Vulnerability Disclosure Program (mVDP) play a crucial role in reporting, managing, and addressing security issues promptly.
This discovery and responsible disclosure highlight the ongoing security challenges within the WordPress ecosystem, which powers approximately 43% of all websites on the internet. Regular updates and proactive security measures are essential to safeguard websites against emerging threats.
