Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
nerdculture.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
Be excellent to each other, live humanism, no nazis, no hate speech. Not only for nerds, but the domain is somewhat cool. ;) No bots in general. Languages: DE, EN, FR, NL, ES, IT

Administered by:

Server stats:

1.2K
active users

nerdculture.de: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Olly 👾

WordPress Security Plugin WP Ghost vulnerable to Remote Code Execution Bug.

The flaw, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths.

patchstack.com/articles/critic

WP Ghost is a popular security add-on used in over 200,000 WordPress sites that claims to stop 140,000 attacks and over 9 million brute-forcing attempts every month. It also offers protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks and cross-site scripting. However, as revealed by Patchstack, the security tool itself is vulnerable to a critical (CVSS score: 9.6) remote code execution (RCE) vulnerability that could lead to a complete website takeover. "The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file," reads Patchstack's report. "Due to the behavior of the LFI case, this vulnerability could lead to Remote Code Execution on almost all of the environment setup." Hence, the vulnerability allows LFI universally, but whether it escalates to RCE depends on the specific server configuration. LFI without RCE can still be dangerous through scenarios such as information disclosure, session hijacking, log poisoning, access to source code and denial of service (DoS) attacks. ⚠️The patch was incorporated on WP Ghost version 5.4.02, while version 5.4.03 has also been made available in the meantime. Users are recommended to upgrade to either version to mitigate CVE-2025-26909.⚠️
#wordpress#wpghost#plugin
Mar 24, 2025, 12:11 PM·Public·Metatext
3boosts·0favorites
ExploreLive feeds
About