Hide My WP Ghost < 7.0.00 – Unauthenticated Open Redirect | CVE 2026-39484 | Plugin Vulnerabilities

Description

The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Open Redirect in all versions up to 7.0.00 (exclusive). This is due to insufficient validation on a redirect url. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Affects Plugins

Fixed in 7.0.00

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca12d05f-23f4-44e4-b513-a0452a170130

Classification

Type

REDIRECT

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Or Benit

Verified

No

WPVDB ID

59330269-f267-47ee-842a-4158de3476e2

Timeline

Publicly Published

2026-03-18 (about 2 months ago)

Added

2026-05-05 (about 19 days ago)

Last Updated

2026-05-05 (about 19 days ago)

Other

Published

Title

Published

2018-12-01

Title

Ninja Forms <= 3.3.19 - Authenticated Open Redirect

Published

2025-03-27

Title

Bit Integrations < 2.5.0 - Open Redirect

Published

2022-01-17

Title

Noptin < 1.6.5 - Open Redirect

Published

2023-10-06

Title

affiliate-toolkit – WordPress Affiliate Plugin < 3.4.0 - Open Redirect via atkpout.php

Published

2024-10-21

Title

Simple Membership < 4.5.4 - Unauthenticated Open Redirect