WordPress Plugin Vulnerability Exposes 200k+ Sites to Code Execution Attacks
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical vulnerability in WP Ghost, a popular WordPress security plugin with over 200,000 active installations.
The high-severity flaw, tracked as CVE-2025-26909 with a CVSS score of 9.6, allows unauthenticated attackers to exploit a Local File Inclusion (LFI) vulnerability that can lead to Remote Code Execution (RCE).
Website administrators are strongly advised to update immediately to version 5.4.02 or later to mitigate this serious security risk.
Critical Local File Inclusion Vulnerability
The critical vulnerability was discovered by Dimas Maulana, a security researcher at Patchstack Alliance.
The flaw exists in the WP Ghost plugin’s file handling functionality, specifically in the showFile function within the plugin’s codebase. The vulnerability stems from insufficient validation of user input via URL paths that can be included as files.
“The WP Ghost plugin suffered from an unauthenticated Local File Inclusion vulnerability. The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file”, Patchstack security team
Technical analysis reveals that the vulnerability can be exploited through the following chain of function calls:
The vulnerability is triggered when the maybeShowNotFound function is hooked to template_redirect, which can be accessed by unauthenticated users.
If a path accessed by an unauthenticated user is not found, it triggers the vulnerable code path, ultimately allowing attackers to perform path traversal and include arbitrary files on the server.
Risk Factors Details Affected ProductsWP Ghost plugin (versions up to 5.4.01), with over 200,000 active installationsImpactRemote Code Execution (RCE)Exploit PrerequisitesRequires the “Change Paths” feature to be set to Lite or Ghost mode CVSS 3.1 Score9.6 (Critical severity)
Attack Vector and Impact
Security advisories indicate that while this vulnerability requires the Change Paths feature in WP Ghost to be set to “Lite” or “Ghost” mode (not enabled by default), when exploitable, it allows attackers to leverage several techniques to achieve RCE, including php:// filter chains and PHP_SESSION_UPLOAD_PROGRESS tricks.
“This type of LFI vulnerability is particularly dangerous because it provides a direct path to executing malicious code on affected websites,” researchers said.
After being notified on March 3, 2025, the plugin developer, John Darrel, promptly released version 5.4.02 on March 4 to address the vulnerability. The patch implements additional validation on user-supplied URLs and paths:
For WordPress site administrators using WP Ghost, immediate action is recommended:
The WordPress security community has formed an alliance to address similar vulnerabilities across the ecosystem. Patchstack has added this vulnerability to its database and is protecting its customers.
“Making the WordPress ecosystem more secure is a team effort,” researchers said. “We believe that plugin developers and security researchers should work together through programs like our mVDP (Managed Vulnerability Disclosure Program) to report, manage, and address vulnerabilities efficiently.”
The discovery and responsible disclosure of this vulnerability highlights the ongoing security challenges facing the WordPress ecosystem, which powers approximately 43% of all websites on the internet.
#Cyber_Security #Cyber_Security_News #Vulnerability #Wordpress #cyber_security #cyber_security_news
Оригинальная версия на сайте:
WordPress Plugin Vulnerability Exposes 200k+ Sites to Code Execution Attacks
Author: KaaviyaA critical vulnerability in WP Ghost, a popular WordPress security plugin with over 200,000 active installations.
The high-severity flaw, tracked as CVE-2025-26909 with a CVSS score of 9.6, allows unauthenticated attackers to exploit a Local File Inclusion (LFI) vulnerability that can lead to Remote Code Execution (RCE).
Website administrators are strongly advised to update immediately to version 5.4.02 or later to mitigate this serious security risk.
Critical Local File Inclusion Vulnerability
The critical vulnerability was discovered by Dimas Maulana, a security researcher at Patchstack Alliance.
The flaw exists in the WP Ghost plugin’s file handling functionality, specifically in the showFile function within the plugin’s codebase. The vulnerability stems from insufficient validation of user input via URL paths that can be included as files.
“The WP Ghost plugin suffered from an unauthenticated Local File Inclusion vulnerability. The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file”, Patchstack security team
Technical analysis reveals that the vulnerability can be exploited through the following chain of function calls:
The vulnerability is triggered when the maybeShowNotFound function is hooked to template_redirect, which can be accessed by unauthenticated users.
If a path accessed by an unauthenticated user is not found, it triggers the vulnerable code path, ultimately allowing attackers to perform path traversal and include arbitrary files on the server.
Risk Factors Details Affected ProductsWP Ghost plugin (versions up to 5.4.01), with over 200,000 active installationsImpactRemote Code Execution (RCE)Exploit PrerequisitesRequires the “Change Paths” feature to be set to Lite or Ghost mode CVSS 3.1 Score9.6 (Critical severity)
Attack Vector and Impact
Security advisories indicate that while this vulnerability requires the Change Paths feature in WP Ghost to be set to “Lite” or “Ghost” mode (not enabled by default), when exploitable, it allows attackers to leverage several techniques to achieve RCE, including php:// filter chains and PHP_SESSION_UPLOAD_PROGRESS tricks.
“This type of LFI vulnerability is particularly dangerous because it provides a direct path to executing malicious code on affected websites,” researchers said.
After being notified on March 3, 2025, the plugin developer, John Darrel, promptly released version 5.4.02 on March 4 to address the vulnerability. The patch implements additional validation on user-supplied URLs and paths:
For WordPress site administrators using WP Ghost, immediate action is recommended:
- Update to WP Ghost version 5.4.02 or later
- Verify your site hasn’t been compromised if you’ve been running a vulnerable version
- Consider implementing additional security measures if you manage critical websites
The WordPress security community has formed an alliance to address similar vulnerabilities across the ecosystem. Patchstack has added this vulnerability to its database and is protecting its customers.
“Making the WordPress ecosystem more secure is a team effort,” researchers said. “We believe that plugin developers and security researchers should work together through programs like our mVDP (Managed Vulnerability Disclosure Program) to report, manage, and address vulnerabilities efficiently.”
The discovery and responsible disclosure of this vulnerability highlights the ongoing security challenges facing the WordPress ecosystem, which powers approximately 43% of all websites on the internet.
#Cyber_Security #Cyber_Security_News #Vulnerability #Wordpress #cyber_security #cyber_security_news
Оригинальная версия на сайте:
