Path Traversal Vulnerability in WP Ghost Plugin by WordPress
CVE-2025-2056

7.5HIGH

Key Information:

Vendor: Johndarrel
Status: WP Ghost (hide My WP Ghost) – Security & Firewall
Vendor: CVE Published:; 14 March 2025

Summary

The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress contains a path traversal vulnerability in the showFile function. This flaw, present in all versions up to and including 5.4.01, allows unauthenticated attackers to potentially access and read sensitive files on the server. By exploiting this vulnerability, attackers may gain unauthorized access to critical configuration or password files, compromising the security of the site.

Affected Version(s)

WP Ghost (Hide My WP Ghost) – Security & Firewall * <= 5.4.01

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/hide-my-wp/tag...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 14, 2025
Vulnerability Reserved
Mar 6, 2025

Credit

Michael Mazzolini