CVE-2025-53567: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-53567) was discovered in the Ghost Kit WordPress plugin affecting versions through 3.4.1. The vulnerability was reported by researcher LVT-tholv2k on May 29, 2025, and publicly disclosed on July 16, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High), with the following vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The technical classification identifies it as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability requires no authentication to exploit, making it particularly concerning (Patchstack).

This vulnerability could allow malicious actors to include and access local files on the target website, potentially exposing sensitive information. Of particular concern is the potential access to files containing credentials, such as database configurations, which could lead to complete database compromise depending on the server configuration (Patchstack).

The vulnerability has been patched in Ghost Kit version 3.4.2. Users are strongly advised to update to version 3.4.2 or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).