A significant security flaw has been identified in the WP Ghost plugin, a widely used WordPress security tool with over 200,000 active installations. This high-severity vulnerability, designated as CVE-2025-26909 with a CVSS score of 9.6, enables unauthenticated attackers to exploit a Local File Inclusion (LFI) weakness, potentially leading to Remote Code Execution (RCE). Website administrators are strongly urged to update to version 5.4.02 or later to mitigate this critical risk.
Understanding the Vulnerability
The flaw was discovered by security researcher Dimas Maulana from the Patchstack Alliance. It resides in the WP Ghost plugin’s file handling functionality, specifically within the `showFile` function. The vulnerability arises from inadequate validation of user input via URL paths, allowing unauthorized inclusion of files. This issue is particularly concerning because it provides a direct avenue for executing malicious code on affected websites.
Technical Breakdown
The vulnerability is triggered through a sequence of function calls:
1. The `maybeShowNotFound` function is hooked to `template_redirect`, accessible by unauthenticated users.
2. If an unauthenticated user accesses a non-existent path, it activates the vulnerable code path.
3. This sequence allows attackers to perform path traversal and include arbitrary files on the server.
Exploitation of this vulnerability requires the “Change Paths” feature in WP Ghost to be set to “Lite” or “Ghost” mode. Although this feature is not enabled by default, when active, it opens the door for attackers to employ techniques such as `php://` filter chains and `PHP_SESSION_UPLOAD_PROGRESS` tricks to achieve RCE.
Risk Assessment
– Affected Products: WP Ghost plugin (versions up to 5.4.01), with over 200,000 active installations.
– Impact: Remote Code Execution (RCE).
– Exploit Prerequisites: Requires the “Change Paths” feature to be set to Lite or Ghost mode.
– CVSS 3.1 Score: 9.6 (Critical severity).
Immediate Actions Recommended
Upon notification on March 3, 2025, the plugin developer, John Darrel, promptly released version 5.4.02 on March 4 to address the vulnerability. The patch introduces enhanced validation on user-supplied URLs and paths to prevent unauthorized file inclusion.
Recommendations for WordPress Site Administrators:
1. Update Promptly: Ensure your WP Ghost plugin is updated to version 5.4.02 or later.
2. Verify Site Integrity: Check your website for any signs of compromise, especially if you have been running a vulnerable version.
3. Implement Additional Security Measures: For critical websites, consider deploying extra security protocols to safeguard against potential threats.
Collaborative Security Efforts
The WordPress security community emphasizes the importance of collaboration in addressing such vulnerabilities. Patchstack has incorporated this vulnerability into its database and is actively protecting its customers. The organization advocates for joint efforts between plugin developers and security researchers through programs like the Managed Vulnerability Disclosure Program (mVDP) to efficiently report, manage, and resolve security issues.
Conclusion
The discovery and responsible disclosure of this vulnerability underscore the ongoing security challenges within the WordPress ecosystem, which powers approximately 43% of all websites globally. Regular updates, vigilant monitoring, and proactive security practices are essential to protect websites from emerging threats.
