CVE-2025-2056

CVE-2025-2056 is a path traversal vulnerability (CWE-23) affecting the WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress in all versions up to and including 5.4.01. The flaw exists in the showFile function within the plugin's Files.php model, enabling attackers to bypass intended file access restrictions and read the contents of specific file types on the server. These files may contain sensitive information, with the vulnerability rated at a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending crafted requests to the vulnerable showFile function, they can traverse directory paths to access and disclose sensitive files, potentially exposing configuration data, credentials, or other critical information hosted on the WordPress server.

Advisories reference a patch in version 5.4.02 of the plugin, as indicated by the WordPress plugin trac browser at line 336 in models/Files.php. The Wordfence threat intelligence page provides further details on the vulnerability (ID: f43db496-80ea-442c-9417-7aa03ec95f02), recommending immediate updates to mitigate the issue. Security practitioners should verify installations and apply the latest plugin version to prevent exploitation.