CVE-2025-26909

Description

The WP Ghost plugin suffered from an unauthenticated Local File Inclusion vulnerability. The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file. Due to the behavior of the LFI case, this vulnerability could lead to Remote Code Execution on almost all of the environment setup.

References

https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-wp-ghost-vulnerable-to-remote-code-execution-bug/

https://patchstack.com/articles/critical-lfi-to-rce-vulnerability-in-wp-ghost-plugin-affecting-200k-sites/

Details

Source: Mitre, NVD