Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS).

  • WP Ghost, a popular security plugin, carried a 9.6-severity flaw
  • It allows threat actors to execute malicious code, remotely
  • The developers released a patch, and users should update now

WP Ghost, a popular security WordPress plugin, was carrying a vulnerability that allowed threat actors to launch Remote Code Execution (RCE) attacks and take over entire websites.

All versions of WP Ghost up to 5.4.01 are flawed, and if you’re using this plugin, make sure to update it to version 5.4.02.

“The WP Ghost plugin suffered from an unauthenticated Local File Inclusion vulnerability,” explained researchers from Patchstack. “The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file. Due to the behavior of the LFI case, this vulnerability could lead to Remote Code Execution on almost all of the environment setup.”

Updating the add-ons

The bug is now tracked as CVE-2025-26909, and was given a severity score of 9.6/10 (critical). It was patched by adding extra validation on the supplied URL or path from the user.

WP Ghost is a popular website builder security plugin, with more than 200,000 installs.

The plugin’s page states that it stops 140,000 attacks and more than nine million brute-force attempts every month.

It claims to offer protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks, and cross-site scripting attacks.

“When working with user-provided data for a local file inclusion process, always implement a strict check on the supplied value and only allow users to access specific or whitelisted paths or files,” Patchstack concluded.

WordPress is a major target for cybercriminals, and its platform is quite robust, but it comes with a huge repository of third-party plugins and themes, both free-to-use, and paid ones.

Many of these are vulnerable to different exploits, which is why WordPress users are advised to carefully choose their add-ons, and always make sure to keep them updated.

Via BleepingComputer

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.