Here’s a wake-up call for WordPress site owners—if you’re running the WP Ghost plugin, it’s time for a critical update. And yes, we mean right now.
WP Ghost, a security plugin trusted by over 200,000 sites, was found to have a severe vulnerability—one that allowed attackers to take over entire websites using Remote Code Execution (RCE). All versions up to 5.4.01 are affected. If that’s what you’re running, upgrade to 5.4.02 immediately. No exceptions.
Table of Contents
So what went wrong?
According to researchers at Patchstack, the plugin had an unauthenticated Local File Inclusion (LFI) flaw. In plain English? The plugin wasn’t doing enough to filter what users could sneak into a URL path. This oversight gave attackers a backdoor—one they could use to execute malicious code and, essentially, hijack your entire site.
The flaw, now tracked as CVE-2025-26909, scored a jaw-dropping 9.6 out of 10 on the CVSS severity scale. That’s not just high—it’s critical. Fortunately, WP Ghost’s developers have since patched the issue by adding stricter validation rules to URL and file paths. A smart move, albeit overdue.
Now here’s where it gets even more eye-opening.
WP Ghost isn’t some obscure plugin collecting digital dust—it boasts protection against SQL injections, cross-site scripting, directory traversal attacks, and a host of other threats. Its website proudly claims to block 140,000 attacks and over nine million brute-force attempts every single month. Impressive, right?
But even the strongest armor can crack if you don’t maintain it.
As Patchstack bluntly put it, “When working with user-provided data for a local file inclusion process, always implement a strict check on the supplied value and only allow users to access specific or whitelisted paths or files.” In other words, security starts with caution—and ends with vigilance.
WordPress is a powerhouse of a platform, no doubt. But its open ecosystem of third-party plugins and themes? That’s both its strength and its Achilles’ heel. While the freedom to customize is wonderful, it comes with a catch—you have to keep everything updated. Religiously.
