critical rce flaw exposed
Up next
Author
Tags
Share article
The post has been shared by 0 people.
Facebook 0
Twitter 0
Pinterest 0
Mail 0

While over 200,000 WordPress site owners sleep soundly thinking WP Ghost is protecting their digital fortresses, a critical vulnerability has left their gates wide open. The popular security plugin, developed by John Darrel, claims to stop 140,000 hacker attacks monthly. Ironic, isn’t it? The very tool designed to keep hackers out now offers them a VIP entrance.

The ultimate irony: WordPress security plugin now serves as hackers’ red carpet into 200,000 vulnerable sites.

The vulnerability (CVE-2025-26909) was discovered by researcher Dimas Maulana on February 25, 2025. It’s rated with a CVSS score of 9.6. That’s about as bad as it gets. The flaw affects all versions up to 5.4.01 and stems from insufficient input validation in the ‘showFile()’ function.

Here’s the scary part. This Local File Inclusion vulnerability doesn’t require authentication. Any random person can exploit it. No login needed. No special skills required. Just a manipulated URL path and boom – they’re in your system.

And if your “Change Paths” feature is set to Lite or Ghost mode? Even worse. Full Remote Code Execution becomes possible. Complete website takeover.

The impact is massive. Information disclosure. Session hijacking. Log poisoning. Access to source code. DoS attacks. Your entire WordPress site is fundamentally gift-wrapped for attackers.

Patchstack analyzed the flaw and notified WP Ghost developers on March 3, 2025. They responded quickly, implementing additional validation in version 5.4.02, released just a day later on March 4. Version 5.4.03 is also available now.

The whole situation highlights a painful truth about WordPress security. Third-party security plugins sometimes become the very weakness they’re supposed to protect against. Your security plugin has a security flaw. Let that sink in.

If you’re running WP Ghost, update immediately to version 5.4.02 or later. Implementing a comprehensive risk assessment could help identify such vulnerabilities before they’re exploited. Users have reported that WP Ghost can make WordPress sites sluggish in performance when CSS/JS rewriting features are active. The vulnerability exploits the ‘maybeShowNotFound()’ function that triggers vulnerable code. Without the patch, you might as well put out a welcome mat for hackers. The vulnerability was published on March 20, 2025 by multiple security resources including Mitre and NVD.

You May Also Like
dollyway malware targets wordpress

Over 20,000 WordPress Sites Under Siege by the Dreaded DollyWay Malware Campaign

The silent digital parasite DollyWay has infected 20,000+ WordPress sites, disguising itself behind invisible admin accounts while redirecting millions to dangerous scams. Could your site be feeding this malware empire?
zoom security vulnerabilities exposed

Critical Flaws in Zoom Expose Users to Escalating Vulnerabilities and Network Threats

Multiple critical Zoom vulnerabilities put your digital identity at risk with CVSS scores up to 9.6. Attackers could seize complete control over your system. The latest security patches are your only shield.
microsoft resolves asphalt 8 crash

Upgrade Freedom: Microsoft Removes Block After Critical Asphalt 8 Crash Resolution!

Windows 11 gamers rejoice! Microsoft finally removes critical Asphalt 8 crash blockade, freeing thousands of frustrated racers to safely upgrade to 24H2. Your high-speed gaming adventures await without interruption.
mozilla products remote code risks

Critical Flaws in Mozilla Products Enable Remote Code Execution Risks for Users

Critical Mozilla vulnerabilities enable attackers to seize control of your device through innocent-looking web pages and media files. Multiple products affected in this disturbing security breach. Update immediately before it’s too late.