top of page

Subscribe to our newsletter

Critical WP Ghost Plugin Vulnerability: Urgent Patch Required to Prevent RCE Threat

  • Rescana
  • Mar 26
  • 3 min read
Image for post about WP Ghost Plugin Vulnerability Report

Executive Summary

Date: March 20, 2025


The WP Ghost plugin, a prominent security tool used by over 200,000 WordPress websites, has been identified with a critical vulnerability. This flaw, tracked as CVE-2025-26909, allows for Local File Inclusion (LFI) that can escalate to Remote Code Execution (RCE), posing a significant threat to the integrity and security of affected sites. The vulnerability, discovered by Dimas Maulana of the Patchstack Alliance, is primarily due to insufficient input validation in the
showFile()
function. With a CVSS score of 9.6, the severity emphasizes the urgent need for remediation by upgrading to the newly released patch, version 5.4.02.

Technical Information

The vulnerability within the WP Ghost plugin stems from a lack of robust input validation in its

showFile()
function. This function's improper handling of user-supplied input allows for the manipulation of URL paths, leading to the inclusion of arbitrary files. This Local File Inclusion (LFI) vulnerability can escalate to a Remote Code Execution (RCE) threat under certain server configurations, allowing attackers to execute malicious code remotely. The plugin's "Change Paths" feature, particularly when set to Lite or Ghost mode, exacerbates the risk of exploitation, although this is not the default setting. The vulnerability affects all WP Ghost versions up to 5.4.01 and was first identified by cybersecurity researcher Dimas Maulana. The critical nature of this flaw necessitates immediate attention to prevent potential site compromise and data breaches.

Exploitation in the Wild

As of now, there have been no confirmed reports of active exploitation of this vulnerability in the wild. Additionally, no specific Advanced Persistent Threat (APT) groups are known to be targeting this vulnerability at the current time. However, the potential for exploitation remains high due to the critical severity of the flaw. Website administrators and security teams should remain vigilant, monitor for any unusual activity, and ensure that all security measures are in place to prevent unauthorized access or code execution.

APT Groups using this vulnerability

Currently, there is no evidence or reports of specific APT groups exploiting the CVE-2025-26909 vulnerability in the WP Ghost plugin. Nevertheless, the critical nature of this vulnerability means that it could become a target for APT groups in the future. It is imperative for organizations to stay informed and prepared to defend against any potential threats.

Affected Product Versions

The vulnerability affects all versions of the WP Ghost plugin up to and including version 5.4.01. Users of this plugin should immediately upgrade to version 5.4.02 or later to mitigate the risk of exploitation. The patch addresses the input validation flaw and strengthens the security of the

showFile()
function, preventing unauthorized file inclusion and code execution.

Workaround and Mitigation

To mitigate the risk posed by this vulnerability, users of the WP Ghost plugin should take the following steps: immediately upgrade to version 5.4.02 or later, as this version contains the necessary security patches to address the vulnerability. Avoid configuring the "Change Paths" feature to Lite or Ghost mode unless absolutely necessary, as these settings increase the risk of exploitation. Implement monitoring and alert systems to detect any unusual file access or modifications, which may indicate attempted exploitation.

References

For further information and detailed analysis of the vulnerability, consult the following resources: the Patchstack Advisory provides a comprehensive overview of the issue and can be accessed at https://patchstack.com/articles/critical-lfi-to-rce-vulnerability-in-wp-ghost-plugin-affecting-200k-sites/. Additionally, the BleepingComputer Report offers insights into the vulnerability and its implications, available at https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-wp-ghost-vulnerable-to-remote-code-execution-bug/.

Rescana is here for you

At Rescana, we are committed to supporting our clients in maintaining robust cybersecurity postures. Our Third Party Risk Management (TPRM) platform is designed to help organizations identify and mitigate risks associated with third-party software and services. Should you have any questions regarding this report or require assistance with your cybersecurity strategies, please do not hesitate to reach out to us at ops@rescana.com.

bottom of page