WordPress Plugin Vulnerabilities

WP Ghost < 5.4.02 - Unauthenticated Limited File Read

Description

The plugin is vulnerable to Path Traversal via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
hide-my-wp
Fixed in 5.4.02

References

CVE
CVE-2025-2056
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f43db496-80ea-442c-9417-7aa03ec95f02

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
d0f71e68-0e85-4294-8546-767319cbb1bf

Timeline

Publicly Published
2025-03-13 (about 1 year ago)
Added
2025-03-14 (about 1 year ago)
Last Updated
2025-03-14 (about 1 year ago)

Other

Published
Title
Published
2025-08-14
Title
WP Membership < 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2023-02-10
Title
Shortcodes Ultimate < 5.12.7 - Subscriber+ Arbitrary File Access
Published
2024-04-25
Title
XStore < 9.3.9 - Missing Authorization
Published
2023-05-05
Title
WP Job Portal < 2.0.2 - Unauthenticated Settings Update
Published
2026-02-09
Title
YayCurrency < 3.3.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion