Subj : This top WordPress plugin could be hiding a worrying security fla To : All From : TechnologyDaily Date : Fri Mar 21 2025 16:30:08 This top WordPress plugin could be hiding a worrying security flaw, so be on your guard Date: Fri, 21 Mar 2025 16:25:00 +0000 Description: Older versions of WP Ghost grant threat actors remote code execution abilities so make sure to update the plugin. FULL STORY ======================================================================WP Ghost, a popular security plugin, carried a 9.6-severity flaw It allows threat actors to execute malicious code, remotely The developers released a patch, and users should update now WP Ghost, a popular security WordPress plugin , was carrying a vulnerability that allowed threat actors to launch Remote Code Execution (RCE) attacks and take over entire websites. All versions of WP Ghost up to 5.4.01 are flawed, and if youre using this plugin, make sure to update it to version 5.4.02. The WP Ghost plugin suffered from an unauthenticated Local File Inclusion vulnerability, explained researchers from Patchstack. The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file. Due to the behavior of the LFI case, this vulnerability could lead to Remote Code Execution on almost all of the environment setup. Updating the add-ons The bug is now tracked as CVE-2025-26909, and was given a severity score of 9.6/10 (critical). It was patched by adding extra validation on the supplied URL or path from the user. WP Ghost is a popular website builder security plugin, with more than 200,000 installs. The plugins page states that it stops 140,000 attacks and more than nine million brute-force attempts every month. It claims to offer protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks, and cross-site scripting attacks. When working with user-provided data for a local file inclusion process, always implement a strict check on the supplied value and only allow users to access specific or whitelisted paths or files, Patchstack concluded. WordPress is a major target for cybercriminals, and its platform is quite robust, but it comes with a huge repository of third-party plugins and themes, both free-to-use, and paid ones. Many of these are vulnerable to different exploits, which is why WordPress users are advised to carefully choose their add-ons, and always make sure to keep them updated. Via BleepingComputer You might also like Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack We've rounded up the best password managers Take a look at our guide to the best authenticator app ====================================================================== Link to news story: https://www.techradar.com/pro/security/this-top-wordpress-plugin-could-be-hidi ng-a-worrying-security-flaw-so-be-on-your-guard --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .