Critical Vulnerabilities in WP Plugins Affecting 500k+ Sites

Edward Zhou
Edward Zhou

CEO & Co-Founder

 
July 11, 2025 3 min read

Critical LFI to RCE Vulnerability in WP Ghost Plugin Affecting 200k+ Sites

The WP Ghost plugin has a critical vulnerability tracked as CVE-2025-26909. Users are strongly advised to update to version 5.4.02 immediately to mitigate risks. The vulnerability allows unauthenticated Local File Inclusion (LFI), which could lead to Remote Code Execution (RCE) on approximately 200,000 sites.

About the WP Ghost Plugin

The WP Ghost plugin is a widely used security tool for WordPress, boasting over 200,000 active installations. It provides multiple layers of security, blocking bots and unauthorized access.

The Security Vulnerability

The vulnerability arises from inadequate validation of user input within the showFile function. This function allows attackers to manipulate URLs, leading to potential RCE through improper file inclusion. The core issue is located in the handling of file paths that lack proper sanitization. Exploitation of this vulnerability is contingent upon the Change Paths feature being enabled in Lite or Ghost mode, which is not the default setting.

The function implementation includes critical code segments that demonstrate the lack of checks:

public function showFile( $url ) {
    // ... code omitted for brevity
    if (  stripos( trailingslashit( $url_no_query ), '/' . HMWP_Classes_Tools::getOption( 'hmwp_activate_url' ) . '/' ) !== false ) {
        header( "HTTP/1.1 200 OK" );
        include $new_path;
    }
}

This lack of validation allows users to traverse directories and execute arbitrary code, posing a significant risk to server integrity.

The Patch

The issue has been addressed in version 5.4.02 with additional validation checks to ensure only specific paths are accessible. For further details, you can view the patch.

Critical Forminator Plugin Flaw Impacts Over 300k WordPress Sites

Wordpress

Image courtesy of BleepingComputer

The Forminator plugin, utilized in over 500,000 WordPress sites, is susceptible to a severe flaw tracked as CVE-2024-28890. This vulnerability allows remote attackers to upload unrestricted files to the server, potentially leading to significant security breaches.

Vulnerability Details

Japan's CERT issued a warning regarding this flaw, which has a CVSS score of 9.8. The vulnerabilities include:

  • CVE-2024-28890: Insufficient file upload validation.
  • CVE-2024-31077: SQL injection vulnerability for admin-level access.
  • CVE-2024-31857: Cross-site scripting (XSS) vulnerabilities.

To mitigate risks, administrators should upgrade to Forminator version 1.29.3 to address these vulnerabilities. Notably, over 320,000 sites remain exposed as of the latest updates.

For more information, see the JVN report.

Forminator Plugin Flaw Exposes WordPress Sites to Takeover Attacks

The Forminator plugin also has a severe flaw tracked as CVE-2025-6463, impacting all versions up to 1.44.2. This unauthenticated arbitrary file deletion vulnerability could enable complete site takeover.

Exploitation Mechanics

The vulnerability originates from inadequate validation of user input, allowing attackers to delete critical files, such as wp-config.php. This action can thrust the site into a vulnerable state, enabling attackers to take control.

As explained by Wordfence, “Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control.”

Discovery and Patching

The flaw was reported by security researcher ‘Phat RiO – BlueRock’ and was patched in version 1.44.3. This new version includes checks to validate field types and restrict file deletions to the WordPress uploads directory.

To protect your site, it is recommended to update to the latest version or deactivate the plugin until a secure version can be installed.

For further details, visit Wordfence.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

AI-Driven Cybersecurity Innovations: The Future of Threat Prevention
AI agents security

AI-Driven Cybersecurity Innovations: The Future of Threat Prevention

AI agents are prime targets for cyberattacks. Discover evolving threats like prompt injection & AI-powered exploits, and learn how to fortify your defenses. Read now!

By Brandon Woo January 22, 2026 5 min read
common.read_full_article
GootLoader Malware Evades Detection Using Nested ZIP Archives
GootLoader

GootLoader Malware Evades Detection Using Nested ZIP Archives

GootLoader is back with advanced tricks, using malformed ZIPs to bypass security & target businesses. Learn how to detect and defend against this threat. Protect your assets!

By Edward Zhou January 21, 2026 3 min read
common.read_full_article
WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk
WhisperPair attack

WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk

Millions of Bluetooth audio devices are at risk from the WhisperPair vulnerability. Learn how attackers can eavesdrop and track your devices, and what you can do to protect yourself. Update your firmware now!

By Jim Gagnard January 20, 2026 3 min read
common.read_full_article
Tech Hiring Growth: 12-15% Increase in AI and Data Jobs by 2026
India tech job market

Tech Hiring Growth: 12-15% Increase in AI and Data Jobs by 2026

India's tech job market is set for a 12-15% surge in 2026, creating 1.25 lakh roles. Discover key sectors and skills in demand. Read more!

By Edward Zhou January 19, 2026 3 min read
common.read_full_article