Critical Vulnerabilities in WP Plugins Affecting 500k+ Sites
Critical LFI to RCE Vulnerability in WP Ghost Plugin Affecting 200k+ Sites
The WP Ghost plugin has a critical vulnerability tracked as CVE-2025-26909. Users are strongly advised to update to version 5.4.02 immediately to mitigate risks. The vulnerability allows unauthenticated Local File Inclusion (LFI), which could lead to Remote Code Execution (RCE) on approximately 200,000 sites.
About the WP Ghost Plugin
The WP Ghost plugin is a widely used security tool for WordPress, boasting over 200,000 active installations. It provides multiple layers of security, blocking bots and unauthorized access.
The Security Vulnerability
The vulnerability arises from inadequate validation of user input within the showFile function. This function allows attackers to manipulate URLs, leading to potential RCE through improper file inclusion. The core issue is located in the handling of file paths that lack proper sanitization. Exploitation of this vulnerability is contingent upon the Change Paths feature being enabled in Lite or Ghost mode, which is not the default setting.
The function implementation includes critical code segments that demonstrate the lack of checks:
public function showFile( $url ) {
// ... code omitted for brevity
if ( stripos( trailingslashit( $url_no_query ), '/' . HMWP_Classes_Tools::getOption( 'hmwp_activate_url' ) . '/' ) !== false ) {
header( "HTTP/1.1 200 OK" );
include $new_path;
}
}
This lack of validation allows users to traverse directories and execute arbitrary code, posing a significant risk to server integrity.
The Patch
The issue has been addressed in version 5.4.02 with additional validation checks to ensure only specific paths are accessible. For further details, you can view the patch.
Critical Forminator Plugin Flaw Impacts Over 300k WordPress Sites
Image courtesy of BleepingComputer
The Forminator plugin, utilized in over 500,000 WordPress sites, is susceptible to a severe flaw tracked as CVE-2024-28890. This vulnerability allows remote attackers to upload unrestricted files to the server, potentially leading to significant security breaches.
Vulnerability Details
Japan's CERT issued a warning regarding this flaw, which has a CVSS score of 9.8. The vulnerabilities include:
- CVE-2024-28890: Insufficient file upload validation.
- CVE-2024-31077: SQL injection vulnerability for admin-level access.
- CVE-2024-31857: Cross-site scripting (XSS) vulnerabilities.
To mitigate risks, administrators should upgrade to Forminator version 1.29.3 to address these vulnerabilities. Notably, over 320,000 sites remain exposed as of the latest updates.
For more information, see the JVN report.
Forminator Plugin Flaw Exposes WordPress Sites to Takeover Attacks
The Forminator plugin also has a severe flaw tracked as CVE-2025-6463, impacting all versions up to 1.44.2. This unauthenticated arbitrary file deletion vulnerability could enable complete site takeover.
Exploitation Mechanics
The vulnerability originates from inadequate validation of user input, allowing attackers to delete critical files, such as wp-config.php. This action can thrust the site into a vulnerable state, enabling attackers to take control.
As explained by Wordfence, “Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control.”
Discovery and Patching
The flaw was reported by security researcher ‘Phat RiO – BlueRock’ and was patched in version 1.44.3. This new version includes checks to validate field types and restrict file deletions to the WordPress uploads directory.
To protect your site, it is recommended to update to the latest version or deactivate the plugin until a secure version can be installed.
For further details, visit Wordfence.