While over 200,000 WordPress site owners sleep soundly thinking WP Ghost is protecting their digital fortresses, a critical vulnerability has left their gates wide open. The popular security plugin, developed by John Darrel, claims to stop 140,000 hacker attacks monthly. Ironic, isn’t it? The very tool designed to keep hackers out now offers them a VIP entrance.
The ultimate irony: WordPress security plugin now serves as hackers’ red carpet into 200,000 vulnerable sites.
The vulnerability (CVE-2025-26909) was discovered by researcher Dimas Maulana on February 25, 2025. It’s rated with a CVSS score of 9.6. That’s about as bad as it gets. The flaw affects all versions up to 5.4.01 and stems from insufficient input validation in the ‘showFile()’ function.
Here’s the scary part. This Local File Inclusion vulnerability doesn’t require authentication. Any random person can exploit it. No login needed. No special skills required. Just a manipulated URL path and boom – they’re in your system.
And if your “Change Paths” feature is set to Lite or Ghost mode? Even worse. Full Remote Code Execution becomes possible. Complete website takeover.
The impact is massive. Information disclosure. Session hijacking. Log poisoning. Access to source code. DoS attacks. Your entire WordPress site is fundamentally gift-wrapped for attackers.
Patchstack analyzed the flaw and notified WP Ghost developers on March 3, 2025. They responded quickly, implementing additional validation in version 5.4.02, released just a day later on March 4. Version 5.4.03 is also available now.
The whole situation highlights a painful truth about WordPress security. Third-party security plugins sometimes become the very weakness they’re supposed to protect against. Your security plugin has a security flaw. Let that sink in.
If you’re running WP Ghost, update immediately to version 5.4.02 or later. Implementing a comprehensive risk assessment could help identify such vulnerabilities before they’re exploited. Users have reported that WP Ghost can make WordPress sites sluggish in performance when CSS/JS rewriting features are active. The vulnerability exploits the ‘maybeShowNotFound()’ function that triggers vulnerable code. Without the patch, you might as well put out a welcome mat for hackers. The vulnerability was published on March 20, 2025 by multiple security resources including Mitre and NVD.
