WordPress security plugin WP Ghost vulnerable to remote code execution bug

Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. WP Ghost is a popular security add-on used in over 200,000 WordPress sites that claims to stop 140,000 hacker attacks and over 9 million brute-forcing attempts every month. It also offers protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks, and cross-site scripting. However, as revealed by Patchstack, the security tool itself is vulnerable to a critical (CVSS score: 9.6) remote code execution (RCE) vulnerability that could lead to a complete website takeover. The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths. The f ... Read full article.