A serious vulnerability in the popular WordPress security plugin WP Ghost allows attackers to gain unauthorized website access. The Local File Inclusion (LFI) vulnerability can lead to Remote Code Execution (RCE), affecting more than 200,000 active installations.
Patchstack researcher Dimas Maulana discovered the vulnerability, registered as CVE-2025-26909. The problem was resolved in the plugin’s version 5.4.02, released on March 4, 2025.
The vulnerability is in the plugin’s showFile function. Insufficient user input validation via the URL path allows an attacker on the server to execute arbitrary code. This can then lead to the execution of malicious code on the affected website.
How it works
The problem arises when the maybeShowNotFound function is called, which then activates the showFile function without adequate checking of the URL paths. This allows attackers to access files on the server via path traversal techniques.
The vulnerability can only be exploited if the ‘Change Paths’ function in WP Ghost is set to ‘Lite’ or ‘Ghost’ mode. This setting is not activated by default, which somewhat limits the impact. Patchstack, the security company that reported the vulnerability, emphasizes that customers using their services are already protected against it.
Website administrators using WP Ghost are strongly advised to update to version 5.4.02 or higher as soon as possible to protect their websites against attacks.
Tip: DollyWay malware has been preying on WordPress sites for eight years now.