A critical vulnerability (CVE-2025-26909) has been identified in the Hide My WP Ghost WordPress plugin, affecting over 200,000 installations. The flaw, rated 9.6 on the CVSS scale, allows unauthenticated attackers to perform Local File Inclusion (LFI) and potentially achieve Remote Code Execution (RCE) under specific server configurations. The vulnerability stems from improper input validation in the plugin’s showFile() function, which unsafely processes user-supplied paths [^1].
TL;DR for Security Leaders
- Risk: Critical (CVSS 9.6) LFI-to-RCE chain affecting all versions ≤5.4.01.
- Impact: Unauthenticated file reads, code execution via PHP wrappers.
- Affected: WordPress sites using Hide My WP Ghost (non-default “Change Paths” feature required for full exploitability).
- Patch: Update to v5.4.02 immediately.
- Workaround: Disable “Change Paths” feature if patching is delayed.
Technical Analysis
The vulnerability resides in the plugin’s file inclusion mechanism, where the showFile() function fails to sanitize user-controlled input before passing it to PHP’s include statement. Below is the vulnerable code snippet identified by researcher Dimas Maulana [^2]:
public function showFile($url) {
// ...
$new_path = $this->getOriginalPath($new_url); // Unsanitized input
include $new_path; // Vulnerable line
// ...
}Attackers can exploit this by manipulating URLs to include arbitrary files, such as /etc/passwd or PHP session files, using traversal sequences (e.g., ../../). When combined with PHP wrappers like php://filter, this may escalate to RCE. Notably, full RCE requires the plugin’s “Change Paths” feature to be set to Lite/Ghost mode, which is not enabled by default [^3].
Proof of Concept (PoC)
While no public exploit code is available, researchers have confirmed the following attack vectors:
- LFI:
https://victim-site.com/?file=../../../../etc/passwd - RCE (conditional):
php://filter/convert.base64-encode/resource=/var/www/html/wp-config.php
Mitigation Steps
- Immediate Action: Upgrade to Hide My WP Ghost v5.4.02 or later.
- Temporary Fix: Disable the “Change Paths” feature via WordPress admin panel (
Settings → Hide My WP → Change Paths). - Detection: Monitor logs for unusual file access patterns (e.g., repeated
includeattempts to sensitive paths).
Relevance to Security Professionals
- Red Teams: Can simulate attacks using LFI to test detection capabilities.
- Blue Teams: Should prioritize patching and review server configurations to disable dangerous PHP wrappers.
- Threat Hunters: Look for anomalous HTTP requests containing
../sequences or PHP wrapper strings.
Conclusion
CVE-2025-26909 underscores the risks posed by third-party WordPress plugins, particularly those handling file operations. Organizations using Hide My WP Ghost should treat this as a high-priority remediation task given the plugin’s widespread use and the vulnerability’s critical severity.
