WordPress Plugin Flaw Exposes 200,000+ Sites at Risk of Code Execution

A critical security vulnerability has been discovered in the popular WordPress plugin, WP Ghost, which boasts over 200,000 active installations.

This flaw, tracked as CVE-2025-26909, concerns an unauthenticated Local File Inclusion (LFI) vulnerability that could potentially lead to Remote Code Execution (RCE) attacks on nearly all server environments.

The vulnerability has been addressed in the latest version of the plugin, with users urged to update to version 5.4.02 or later, as per a report by PatchStack.

Overview of the Vulnerability

The vulnerability affects how the plugin handles user input via URL paths for file inclusion. In specific cases, attackers can exploit this weakness to perform path traversal attacks, allowing them to include arbitrary files on the server.

This could lead to the execution of malicious code, particularly through techniques such as using php:// filter chains or exploiting PHP’s session upload progress features.

The vulnerability is traced to the showFile function located within models/Files.php, which fails to adequately sanitize and validate input URLs.

This oversight enables an attacker to manipulate the $new_path variable to point to any file on the server, bypassing security checks.

Here’s a snippet of the showFile function at the heart of the issue:

public function showFile( $url ) {
    // Initialize WordPress Filesystem
    $wp_filesystem = HMWP_Classes_ObjController::initFilesystem();
    // Remove the redirect hook
    remove_filter( 'wp_redirect', array( HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rewrite' ), 'sanitize_redirect' ), PHP_INT_MAX );
    remove_filter( 'template_directory_uri', array( HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rewrite' ), 'find_replace_url' ), PHP_INT_MAX );
    // In case of SAFE MODE URL or File mapping
    if ( HMW_DYNAMIC_FILES ) {
        $url = str_replace( $this->_safe_files, $this->_files, $url );
    }
    // Build the rewrite rules
    $this->buildRedirect();
    // Get the original URL and path based on rewrite rules
    $url_no_query = ( ( strpos( $url, '?' ) !== false ) ? substr( $url, 0, strpos( $url, '?' ) ) : $url );
    $new_url          = $this->getOriginalUrl( $url );
    $new_url_no_query = ( ( strpos( $new_url, '?' ) !== false ) ? substr( $new_url, 0, strpos( $new_url, '?' ) ) : $new_url );
    $new_path         = $this->getOriginalPath( $new_url );
    $ctype            = false;
    // Vulnerable code block
    } elseif (  stripos( trailingslashit( $url_no_query ), '/' . HMWP_Classes_Tools::getOption( 'hmwp_activate_url' ) . '/' ) !== false ) {
        header( "HTTP/1.1 200 OK" );
        ob_start();
        include $new_path; // This line is vulnerable due to lack of path validation
        $content = ob_get_clean();
        // Echo the html file content
        echo $content;
        die();
    }
}

Impact and Mitigation

• User Action Required: Users of the WP Ghost plugin should update to version 5.4.02 immediately to protect their websites from potential attacks.
• Protection for Patchstack Customers: If you are a Patchstack customer, your sites are already shielded from this vulnerability, requiring no additional steps.
• Plugin Developers: Developers can leverage security audit services and the Enterprise API offered for hosting companies to enhance their plugin’s security posture.

The vendor has resolved the issue by adding rigorous validation checks on user-supplied URLs or paths.

The updated version of the plugin prevents the exploitation of this vulnerability by ensuring that only authorized paths are accessed.

This incident highlights the importance of strict validation and sanitization when handling user-provided data, especially in processes involving local file inclusion.

Ensuring that only whitelisted paths or files are accessible can significantly mitigate risks associated with such vulnerabilities.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free