CVE-2025-26909
Published: 27 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-26909 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Hide My WP Ghost WordPress plugin developed by John Darrel. This issue affects all versions of the plugin from n/a through 5.4.01. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-98.
Remote, unauthenticated attackers can exploit the vulnerability over the network with low attack complexity, though it requires user interaction. Exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability with a changed scope, potentially leading to remote code execution via the local file inclusion path.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-5-4-01-local-file-inclusion-to-rce-vulnerability?_s_id=cve provides details on the vulnerability, including mitigation recommendations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an LFI in a public-facing WordPress plugin that enables RCE, directly mapping to T1190 for initial access via public app exploitation and T1059.004 for Unix shell command execution post-RCE.