A critical vulnerability in the popular WordPress security plugin WP Ghost allows for remote code execution (RCE), potentially leading to complete website takeovers. This affects over 200,000 WordPress sites.
The vulnerability, tracked as CVE-2025-26909, stems from insufficient input validation within the showFile() function. Attackers can exploit this flaw by manipulating URL paths to include arbitrary files. This is particularly dangerous when WP Ghost’s “Change Paths” feature is set to Lite or Ghost mode, although these modes aren’t enabled by default. Patchstack notes that the Local File Inclusion (LFI) aspect affects nearly all setups.
“The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file,” reads Patchstack’s report.
“Due to the behavior of the LFI case, this vulnerability could lead to Remote Code Execution on almost all of the environment setup.”
While LFI alone can be dangerous, leading to information disclosure, session hijacking, log poisoning, source code access, and denial-of-service (DoS) attacks, the RCE capability allows for complete server compromise. The severity is rated 9.6 on the CVSS scale.
Researcher Dimas Maulana discovered the flaw on February 25, 2025. Patchstack notified the vendor on March 3rd, and a fix was integrated into WP Ghost version 5.4.02, with 5.4.03 released shortly after. The patch adds additional validation to user-supplied URLs and paths. Users are urged to update immediately to mitigate this critical remote code execution vulnerability.
Technical Details of WP Remote Code Execution Bug:
- Vulnerability: CVE-2025-26909
- Affected Versions: All versions of WP Ghost up to 5.4.01
- Root Cause: Insufficient input validation in the
showFile()function. - Impact: Remote Code Execution (RCE), potentially leading to complete website takeover.
- Mitigation: Upgrade to WP Ghost version 5.4.02 or later.
This critical remote code execution vulnerability highlights the importance of keeping WordPress plugins updated. Failure to do so can expose businesses to significant security risks.
