do son 
A high-severity security vulnerability has been identified in the popular WordPress plugin, WP Ghost. With over 200,000 active installations, WP Ghost is a widely-used free security and firewall plugin developed by John Darrel. This plugin aims to bolster WordPress website security by adding “multiple layers of security to block bots and prevent unauthorized access.”
The vulnerability is an unauthenticated Local File Inclusion (LFI) flaw. This type of vulnerability occurs when user-supplied input in a URL path is not sufficiently validated before being used to include a file.
In the case of WP Ghost, this flaw could allow attackers to execute Remote Code Execution (RCE) on affected systems. The vulnerability has been assigned CVE-2025-26909 and has a CVSS score of 9.6, indicating its critical severity.
The vulnerability exists within the showFile function, which can be called from the maybeShowNotFound function. The maybeShowNotFound function is hooked to the template_redirect action, meaning it can be triggered by unauthenticated users. If an unauthenticated user tries to access a non-existent path or file, the maybeShowNotFound function is called, which in turn calls the showFile function.
The problem lies in how the $new_path variable is handled in the showFile function. This variable receives its value from the getCurrentURL -> getOriginalUrl -> getOriginalPath function chain. The value is then directly passed to the require_once function without proper checks or sanitization.
This lack of validation allows attackers to perform path traversal and include arbitrary files on the server, potentially leading to arbitrary code execution. Common techniques to leverage LFI to RCE, such as php:// filter chains and the PHP_SESSION_UPLOAD_PROGRESS trick, could be employed.
It’s important to note that this vulnerability can only be exploited if the “Change Paths” feature in WP Ghost is set to “Lite” or “Ghost” mode. This feature is not enabled by default.
The vulnerability is addressed in WP Ghost version 5.4.02. Users are strongly advised to update to this version immediately.
