Summary: The popular WordPress security plugin WP Ghost is found to have a critical vulnerability that could enable unauthenticated attackers to execute remote code and take control of compromised servers. This vulnerability, identified as CVE-2025-26909, impacts all versions up to 5.4.01 and arises from insufficient input validation. Users are urged to update to version 5.4.02 or 5.4.03 to protect against this severe flaw.
Affected: WP Ghost plugin for WordPress
Keypoints :
- WP Ghost has a critical RCE vulnerability with a CVSS score of 9.6.
- The flaw allows attackers to include arbitrary files via manipulated URL paths under certain configuration modes.
- Versions prior to 5.4.02 are susceptible; users are advised to upgrade to mitigate risks.