WP Ghost plugin vulnerable to remote code execution

A critical vulnerability has been found in the popular WordPress security plugin WP Ghost. This flaw could let attackers remotely execute code without needing authentication. WP Ghost is used in over 200,000 WordPress sites and provides strong security features against various types of cyberattacks. The flaw, identified as CVE-2025-26909, has a high severity score of 9.6. It affects all versions of WP Ghost up to 5.4.01. The issue arises from poor input validation in a specific function called 'showFile()'. Attackers could exploit this vulnerability by manipulating URL paths to include unauthorized files. This flaw could lead to complete website takeovers, but specific conditions need to be met. The problematic "Change Paths" feature must be set to Lite or Ghost mode, which are not enabled by default. However, the Local File Inclusion aspect of this vulnerability could affect many setups. The vulnerability was discovered on February 25, 2025, by researcher Dimas Maulana. Patchstack, the security analysis firm, reported the issue to the WP Ghost developers on March 3. A patch was quickly developed and released in version 5.4.02 of WP Ghost. Users are urged to update to this version or the later 5.4.03 to protect against the vulnerability.