CVE-2025-2056: 
WordPress vulnerability analysis and mitigation

The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in versions up to and including 5.4.01. This vulnerability was disclosed on March 14, 2025, and is tracked as CVE-2025-2056. The vulnerability affects the showFile function within the plugin, allowing unauthenticated attackers to read specific file types on the server (NVD).

The vulnerability is classified as a Path Traversal (CWE-23) issue with a CVSS v3.1 base score of 7.5 (HIGH). The attack vector is Network-based (AV:N), requires Low complexity (AC:L), needs No privileges (PR:N), and requires No user interaction (UI:N). The scope is Unchanged (S:U), with High impact on Confidentiality (C:H), but No impact on Integrity (I:N) and Availability (A:N) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to read the contents of specific file types on the server, potentially exposing sensitive information. This represents a significant security risk as it could lead to unauthorized access to confidential data stored on the affected WordPress installations (NVD).

Users should update the WP Ghost (Hide My WP Ghost) plugin to a version newer than 5.4.01. The vulnerability has been patched in version 5.4.02, as evidenced by the updated code in the WordPress Plugin Repository (WordPress Plugin).