CVE-2025-26909

Name of the Vulnerable Software and Affected Versions Hide My WP Ghost versions n/a through 5.4.01

Description The issue affects the Hide My WP Ghost plugin, allowing PHP Local File Inclusion due to improper control of filename for include/require statement in PHP program. This flaw can be exploited for remote code execution, potentially affecting over 200,000 sites using the WP Ghost plugin. The vulnerability arises from inadequate input validation in the showFile() function.

Recommendations For Hide My WP Ghost versions n/a through 5.4.01, update to version 5.4.02 or 5.4.03 to fix the issue. As a temporary workaround, consider restricting access to the showFile() function until a patch is available.