Local File Inclusion Vulnerability in Hide My WP Ghost Plugin by John Darrel
CVE-2025-26909

9.6CRITICAL

Key Information:

Vendor

WordPress
Status
Hide My WP Ghost
Vendor
CVE Published:
27 March 2025

Badges

📈 Score: 518👾 Exploit Exists🟡 Public PoC

What is CVE-2025-26909?

CVE-2025-26909 refers to a vulnerability affecting the Hide My WP Ghost plugin developed by John Darrel, which is designed to enhance the security and privacy of WordPress sites by obscuring their actual paths and preventing unauthorized access to sensitive files. This vulnerability allows for Local File Inclusion (LFI), which can potentially be exploited by attackers to access local files on the server, leading to unauthorized data exposure or code execution. The presence of such a flaw can significantly undermine an organization's web security posture, increasing the risk of compromised data integrity and confidentiality.

Technical Details

The vulnerability arises from improper controls over filenames used in Include/Require statements within the PHP program of the Hide My WP Ghost plugin. Specifically, it can allow attackers to manipulate the file paths, resulting in the inclusion of unintended files from the server's filesystem. This type of exploitation typically hinges on the server's misconfiguration or insufficient validation of user input, making it relatively straightforward for an attacker to leverage.

Potential impact of CVE-2025-26909

  1. Data Exposure: Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, exposing confidential information stored on the server, which could include user data, configuration files, or vital system information.

  2. Remote Code Execution: In some scenarios, an attacker could craft specific exploit payloads that not only reveal sensitive data but also allow for the execution of arbitrary code on the server, leading to a complete takeover of the affected system.

  3. System Integrity Compromise: The vulnerability poses risks to the integrity of the web application, as it enables attackers to include files that could lead to the installation of backdoors or other malicious software, further jeopardizing the entire web infrastructure and potentially facilitating future attacks.

Affected Version(s)

Hide My WP Ghost <= 5.4.01

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-26909
Created by ZeroDayx

References

https://patchstack.com/database/wordpress/plugin/hide-my-...
vdb-entry

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dimas Maulana (Patchstack Alliance)
.