CVE-2025-26909: 
WordPress vulnerability analysis and mitigation

CVE-2025-26909 is a critical Local File Inclusion (LFI) vulnerability discovered in the WP Ghost WordPress plugin, affecting versions through 5.4.01. The vulnerability was discovered in March 2025 and affects over 200,000 active installations. The plugin, developed by John Darrel, is a popular security and firewall solution for WordPress websites (Patchstack Article).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (CWE-98). It received a CVSS v3.1 score of 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The issue occurs due to insufficient user input validation in the URL path that can be included as a file. The vulnerability exists in the showFile function and can be triggered through the template_redirect hook by unauthenticated users (Patchstack Article).

The vulnerability could lead to Remote Code Execution (RCE) on affected systems. Attackers could potentially execute arbitrary code through techniques such as php:// filter chains and PHP_SESSION_UPLOAD_PROGRESS. The vulnerability is particularly dangerous when the Change Paths feature is set to Lite or Ghost mode (Patchstack Article).

Users are strongly advised to update to version 5.4.02 or later, which includes a patch that adds additional validation on the supplied URL or path from users. The vendor addressed the issue by implementing strict checks on supplied values and only allowing access to specific or whitelisted paths or files (Patchstack Article).

The security community has classified this as a highly dangerous vulnerability expected to become mass exploited. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users update to a fixed version (Patchstack Database).