Technology

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard

March 21, 2025

WP Ghost, a popular security plugin, carried a 9.6-severity flaw
It allows threat actors to execute malicious code, remotely
The developers released a patch, and users should update now

WP Ghost, a popular security WordPress plugin, was carrying a vulnerability that allowed threat actors to launch Remote Code Execution (RCE) attacks and take over entire websites.

All versions of WP Ghost up to 5.4.01 are flawed, and if you’re using this plugin, make sure to update it to version 5.4.02.

“The WP Ghost plugin suffered from an unauthenticated Local File Inclusion vulnerability,” explained researchers from Patchstack. “The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file. Due to the behavior of the LFI case, this vulnerability could lead to Remote Code Execution on almost all of the environment setup.”

Updating the add-ons

The bug is now tracked as CVE-2025-26909, and was given a severity score of 9.6/10 (critical). It was patched by adding extra validation on the supplied URL or path from the user.

WP Ghost is a popular website builder security plugin, with more than 200,000 installs.

The plugin’s page states that it stops 140,000 attacks and more than nine million brute-force attempts every month.

It claims to offer protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks, and cross-site scripting attacks.

“When working with user-provided data for a local file inclusion process, always implement a strict check on the supplied value and only allow users to access specific or whitelisted paths or files,” Patchstack concluded.

WordPress is a major target for cybercriminals, and its platform is quite robust, but it comes with a huge repository of third-party plugins and themes, both free-to-use, and paid ones.

Many of these are vulnerable to different exploits, which is why WordPress users are advised to carefully choose their add-ons, and always make sure to keep them updated.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar