A critical vulnerability (CVE-2025-26909) has been discovered in the WP Ghost WordPress plugin, affecting over 200,000 sites. The flaw allows unauthenticated Local File Inclusion (LFI), which could lead to Remote Code Execution (RCE), enabling attackers to run malicious code on vulnerable websites.
Improper input validation in the showFile function allows attackers to manipulate file paths. Hackers can execute unauthorized code, potentially taking full control of websites. The issue is resolved in WP Ghost version 5.4.02.
Users must update immediately. Use security plugins to detect and block exploitation attempts. Regularly audit plugins for vulnerabilities.
This incident highlights the importance of strict input validation and prompt security updates to protect websites from cyber threats.
Improper input validation in the showFile function allows attackers to manipulate file paths. Hackers can execute unauthorized code, potentially taking full control of websites. The issue is resolved in WP Ghost version 5.4.02.
Users must update immediately. Use security plugins to detect and block exploitation attempts. Regularly audit plugins for vulnerabilities.
This incident highlights the importance of strict input validation and prompt security updates to protect websites from cyber threats.
![[Image: MxgnhgZ.gif]](https://i.imgur.com/MxgnhgZ.gif)