Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers.
WP Ghost is a popular security add-on used in over 200,000 WordPress sites that claims to stop 140,000 hacker attacks and over 9 million brute-forcing attempts every month.
It also offers protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks, and cross-site scripting.
However, as revealed by Patchstack, the security tool itself is vulnerable to a critical (CVSS score: 9.6) remote code execution (RCE) vulnerability that could lead to a complete website takeover.
The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the ‘showFile()’ function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths.
The flaw is triggered only if WP Ghost’s “Change Paths” feature is set to Lite or Ghost mode. Although these modes are not enabled by default, Patchstack notes that the Local File Inclusion (LFI) part applies to nearly all setups.
“The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file,” reads Patchstack’s report.
“Due to the behavior of the LFI case, this vulnerability could lead to Remote Code Execution on almost all of the environment setup.”
Hence, the vulnerability allows LFI universally, but whether it escalates to RCE depends on the specific server configuration.
LFI without RCE can still be dangerous through scenarios such as information disclosure, session hijacking, log poisoning, access to source code, and denial of service (DoS) attacks.
Following the discovery of the flaw by researcher Dimas Maulana on February 25, 2025, Patchstack analyzed it internally and eventually notified the vendor on March 3.
On the next day, the developers of WP Ghost incorporated a fix in the form of an additional validation on the supplied URL or path from the users.
The patch was incorporated on WP Ghost version 5.4.02, while version 5.4.03 has also been made available in the meantime.
Users are recommended to upgrade to either version to mitigate CVE-2025-26909.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
