Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. However, as revealed by Patchstack, the security tool itself is vulnerable to a critical (CVSS score: 9.6) remote code execution (RCE) vulnerability that could lead to a complete website takeover. WP Ghost is a popular security add-on used in over 200,000 WordPress sites that claims to stop 140,000 hacker attacks and over 9 million brute-forcing attempts every month. It also offers protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks, and cross-site scripting. The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. "The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file," reads Patchstack's report. Following the discovery of the flaw by researcher Dimas Maulana on February 25, 2025, Patchstack analyzed it internally and eventually notified the vendor on March 3. The flaw is triggered only if WP Ghost's "Change Paths" feature is set to Lite or Ghost mode. LFI without RCE can still be dangerous through scenarios such as information disclosure, session hijacking, log poisoning, access to source code, and denial of service (DoS) attacks. On the next day, the developers of WP Ghost incorporated a fix in the form of an additional validation on the supplied URL or path from the users.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 20 Mar 2025 15:00:23 +0000