Full Report
Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. [...]
Analysis Summary
# Vulnerability: Critical LFI to RCE in WordPress WP Ghost Plugin
## CVE Details
- CVE ID: CVE-2025-26909
- CVSS Score: 9.6 (Critical)
- CWE: Insufficient input validation (Implied LFI/RCE path)
## Affected Systems
- Products: WordPress security plugin WP Ghost
- Versions: All versions up to and including 5.4.01
- Configurations: The vulnerability is initially triggered through Local File Inclusion (LFI) due to insufficient input validation in the `showFile()` function via manipulated URL paths. Escalation to Remote Code Execution (RCE) may depend on specific server configurations, but LFI applies broadly if the "Change Paths" feature is set to Lite or Ghost mode (though LFI is possible in nearly all setups).
## Vulnerability Description
The WP Ghost plugin contains a critical vulnerability stemming from insufficient validation of user-supplied input in the `showFile()` function, accessible via the URL path. This flaw allows for Local File Inclusion (LFI) by including arbitrary files based on manipulated paths. Under certain environmental configurations (especially if LFI escalates to RCE), this can lead to a complete website takeover. Even without RCE, LFI enables severe impact scenarios like information disclosure, session hijacking, log poisoning, source code access, and Denial of Service (DoS).
## Exploitation
- Status: PoC available (Disclosed by Patchstack, researcher Dimas Maulana)
- Complexity: Unknown (Likely Medium given the requirement for LFI path manipulation)
- Attack Vector: Network (Remote access required to craft malicious URLs)
## Impact
- Confidentiality: High (Source code access, sensitive file inclusion)
- Integrity: High (Potential for arbitrary code execution/file modification)
- Availability: High (Potential for Denial of Service)
## Remediation
### Patches
- Upgrade to WP Ghost version **5.4.02** or later.
- Version **5.4.03** is also available.
### Workarounds
- No specific workarounds were detailed, but securing input validation checks on URL paths related to the `showFile()` function or disabling the "Change Paths" feature (if possible without breaking core functionality) might reduce risk until patching. The primary solution is immediate patching.
## Detection
- Indicators of Compromise: Look for suspicious file inclusion attempts or unexpected file reads originating from web requests targeting WP Ghost functionality, particularly those manipulating path parameters.
- Detection methods and tools: Web Application Firewalls (WAFs) should be configured to inspect and block known LFI patterns in HTTP requests targeting the WordPress installation path.
## References
- Vendor advisories: Patchstack (Discovery and initial vendor notification)
- Relevant links: hxxps://patchstack.com/articles/critical-lfi-to-rce-vulnerability-in-wp-ghost-plugin-affecting-200k-sites/