EXECUTIVE SUMMARY:
A critical vulnerability CVE-2025-26909 has been identified in the WP Ghost WordPress plugin, which is active on over 200,000 websites. This flaw allows unauthenticated attackers to execute arbitrary code remotely, potentially leading to full website compromise. The vulnerability arises from inadequate input validation in the 'showFile()' function, enabling attackers to include arbitrary files through manipulated URL paths. The Common Vulnerability Scoring System (CVSS) has assigned this vulnerability a score of 9.6, indicating its critical severity. Users are strongly advised to update to the latest version to mitigate potential risks. [/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A critical vulnerability CVE-2025-26909 has been identified in the WP Ghost WordPress plugin, which is active on over 200,000 websites. This flaw allows unauthenticated attackers to execute arbitrary code remotely, potentially leading to full website compromise. The vulnerability arises from inadequate input validation in the 'showFile()' function, enabling attackers to include arbitrary files through manipulated URL paths. The Common Vulnerability Scoring System (CVSS) has assigned this vulnerability a score of 9.6, indicating its critical severity. Users are strongly advised to update to the latest version to mitigate potential risks. [emaillocker id="1283"]
RECOMMENDATION:
We recommend you update WP Ghost WordPress plugin to 5.4.02 version.
REFERENCES:
The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-wp-ghost-vulnerable-to-remote-code-execution-bug/