CVE-2025-26909 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-26909?

CVE-2025-26909 has a CVSS score of 9.6 (CRITICAL). This vulnerability allows attackers to include arbitrary local files through PHP's include/require statements in the Hide My WP Ghost WordPress plugin. Attackers can potentially execute malicious code on affected WordPress sites. All WordPress installations using Hide My WP Ghost versions up to 5.4.01 are affected.

📋 TL;DR

This vulnerability allows attackers to include arbitrary local files through PHP's include/require statements in the Hide My WP Ghost WordPress plugin. Attackers can potentially execute malicious code on affected WordPress sites. All WordPress installations using Hide My WP Ghost versions up to 5.4.01 are affected.

💻 Affected Systems

Products:

Hide My WP Ghost WordPress Plugin

Versions: n/a through 5.4.01

Operating Systems: Any OS running PHP and WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. No special configuration needed.

📦 What is this software?

Hide My Wp Ghost by Wpplugins

View all CVEs affecting Hide My Wp Ghost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Local file inclusion allowing attackers to read sensitive files like wp-config.php, potentially leading to database access and privilege escalation.

🟢

If Mitigated

Limited information disclosure if file inclusion is restricted to non-sensitive directories.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward as this is a classic file inclusion vulnerability with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.4.02 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-5-4-01-local-file-inclusion-to-rce-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Hide My WP Ghost. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.4.02+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate hide-my-wp-ghost

Restrict PHP File Operations

linux

Add .htaccess rules to restrict file inclusion in plugin directory

<FilesMatch "\.(php|php3|php4|php5|phtml|inc)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Remove the Hide My WP Ghost plugin completely from the WordPress installation
Implement web application firewall rules to block requests containing file inclusion patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Hide My WP Ghost version. If version is 5.4.01 or earlier, you are vulnerable.

Check Version:

wp plugin get hide-my-wp-ghost --field=version

Verify Fix Applied:

Verify plugin version is 5.4.02 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file include requests in PHP error logs
Requests to plugin files with file path parameters

Network Indicators:

HTTP requests containing file path traversal patterns to plugin endpoints

SIEM Query:

source="*access.log*" AND ("hide-my-wp" OR "hidemywp") AND (".." OR "include" OR "require" OR "php://")

📊 Metadata

CVE ID: CVE-2025-26909

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.07% exploit probability (22th percentile)

Published: March 27, 2025

Last Updated: June 25, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-5-4-01-local-file-inclusion-to-rce-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26909, you might also want to check these: