WP Ghost WordPress plugin fixes critical vulnerability affecting 200,000+ sites
Take action: If you are running WP Ghost plugin, update it IMMEDIATELY. Even if the path to full exploitation is not open on your site, it's still very smart to update the plugin. And the update process is trivial, so don't delay.
Learn More
WP Ghost, a popular WordPress security and firewall plugin with over 200,000 active installations, has released an urgent security update to address a critical vulnerability that could allow attackers to take complete control of affected websites.
WP Ghost, is ironically one of the most popular free security plugins in the WordPress repository, designed to block bots and prevent unauthorized access to WordPress websites. The plugin claims to stop 140,000 hacker attacks and over 9 million brute-forcing attempts every month.
The flaw is tracked as CVE-2025-26909 (CVSS score 9.6) and is an unauthenticated Local File Inclusion (LFI) vulnerability that could lead to Remote Code Execution (RCE). The vulnerability exists in the showFile() function within the plugin's code.
Due to insufficient validation of user input via URL paths, attackers could perform path traversal and include arbitrary files on the server. This could potentially lead to executing malicious code through techniques such as php:// filter chains or the PHP_SESSION_UPLOAD_PROGRESS trick.
The issue is triggered when:
- An unauthenticated user accesses a non-existent path or file
- The maybeShowNotFound() function is called
- This function then calls showFile() with the current URL
- The path is processed without proper validation and passed to require_once
The vulnerability can only be exploited if the "Change Paths" feature in WP Ghost is set to Lite or Ghost mode, which is not enabled by default. However, the LFI aspect of the vulnerability applies to nearly all setup configurations.
Even if Remote Code Execution is not possible in some configurations, an LFI vulnerability can still lead to:
- Information disclosure
- Session hijacking
- Log poisoning
- Access to source code
- Denial of Service attacks
The vulnerability was discovered by Patchstack Alliance researcher Dimas Maulana on February 25, 2025, and reported to the plugin developer on March 3. The developer released version 5.4.02 the following day to patch the issue by implementing additional validation on user-supplied URL paths.
Users are strongly advised to update to WP Ghost version 5.4.02 or later immediately.
