- WP Ghost, a popular security plugin, carried a 9.6-severity flaw
- It allows threat actors to execute malicious code, remotely
- The developers released a patch, and users should update now
WP Ghost, a popular security WordPress pluginwas carrying a vulnerability that allowed threat actors to launch Remote Code Execution (RCE) attacks and take over entire websites.
All versions of WP Ghost up to 5.4.01 are flawed, and if you’re using this plugin, make sure to update it to version 5.4.02.
“The WP Ghost plugin suffered from an unauthenticated Local File Inclusion vulnerability,” explained researchers from Patchstack. “The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file. Due to the behavior of the LFI case, this vulnerability could lead to Remote Code Execution on almost all of the environment setup.”
Updating the add-ons
The bug is now tracked as CVE-2025-26909, and was given a severity score of 9.6/10 (critical). It was patched by adding extra validation on the supplied URL or path from the user.
WP Ghost is a popular website builder security plugin, with more than 200,000 installs.
The plugin’s page states that it stops 140,000 attacks and more than nine million brute-force attempts every month.
It claims to offer protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks, and cross-site scripting attacks.
“When working with user-provided data for a local file inclusion process, always implement a strict check on the supplied value and only allow users to access specific or whitelisted paths or files,” Patchstack concluded.
WordPress is a major target for cybercriminals, and its platform is quite robust, but it comes with a huge repository of third-party plugins and themes, both free-to-use, and paid ones.
Many of these are vulnerable to different exploits, which is why WordPress users are advised to carefully choose their add-ons, and always make sure to keep them updated.