Executive Summary

A critical vulnerability has been identified in the WP Ghost Plugin, affecting over 200,000 websites worldwide. This Local File Inclusion (LFI) vulnerability, cataloged as CVE-2025-26909, can escalate to Remote Code Execution (RCE) under certain conditions. The flaw poses severe security risks, given its high CVSS Score of 9.6. Immediate action is necessary for all users of the WP Ghost Plugin to update to the latest patched version 5.4.02 to mitigate potential exploitation.

Technical Information

The CVE-2025-26909 vulnerability originates from the insufficient validation and improper sanitization of user-supplied input through the URL path in the WP Ghost Plugin. The vulnerability resides within the

The flaw can be exploited using techniques such as

Exploitation in the Wild

To date, there have been no publicly documented cases of this specific vulnerability being exploited in the wild. However, the inherent nature of the vulnerability makes it a prime candidate for exploitation. Websites utilizing the WP Ghost Plugin should consider themselves at risk until they apply the necessary updates. Indicators of Compromise (IOCs) would typically include unusual or unexpected application behavior following URL manipulation attempts.

APT Groups using this vulnerability

As of the latest intelligence, no Advanced Persistent Threat (APT) groups have been reported to exploit this specific vulnerability. Nonetheless, vigilance is critical given the high-profile nature of the vulnerability and its potential attractiveness to cybercriminals targeting sectors utilizing WordPress for content management.

Affected Product Versions

The WP Ghost Plugin is vulnerable in all versions prior to 5.4.02. Users running any of these versions should promptly upgrade to the patched version 5.4.02 to ensure protection against potential exploits. The plugin is developed by John Darrel, and the update addresses the LFI to RCE vulnerability.

Workaround and Mitigation

The primary mitigation strategy is to update the WP Ghost Plugin to version 5.4.02 without delay. Additionally, it is advisable to ensure all user-supplied data is thoroughly sanitized and validated. Users should also consider disabling the "Change Paths" feature, particularly in Lite or Ghost mode, unless its use is absolutely necessary and only after the patch has been applied.

References

For further information, users can refer to the following resources: - Patchstack Advisory on the WP Ghost Plugin Vulnerability: https://patchstack.com/articles/critical-lfi-to-rce-vulnerability-in-wp-ghost-plugin-affecting-200k-sites/ - Vulnerability Discovery by Dimas Maulana of Patchstack Alliance - Detailed security insights and WordPress best practices at Patchstack Academy: https://patchstack.com/academy

Rescana is here for you

Rescana is dedicated to helping our clients navigate the complexities of cybersecurity threats through our comprehensive Third Party Risk Management (TPRM) platform. Our team continuously monitors emerging threats and provides actionable intelligence and solutions to safeguard your digital assets. Should you have any questions about this advisory report or require assistance with other cybersecurity concerns, please do not hesitate to reach out to us at ops@rescana.com.