(March 20, 21, 22, & 24, 2025)
A critical
unauthenticated Local File Inclusion vulnerability in the WP Ghost WordPress
plugin could be exploited to allow remote code execution. The flaw is "due
to insufficient user input value via the URL path that will be included as a
file." The issue has been patched in WP Ghost version 5.4.02; users are
urged to update top the most recent version. The vulnerability was reported in
late February and the patched version was released within a week. WP Ghost,
which "offers protection against SQL injection, script injection,
vulnerability exploitation, malware dropping, file inclusion exploits,
directory traversal attacks, and cross-site scripting," has more than
200,000 active installations.
Editor's Note
[Neely]
CVE-2024-26909, insufficient input validation, CVSS score 9.6, impacts all
versions of WP Ghost up to 5.4.01. You're only vulnerable if you've set the
"Change Paths" feature to Lite or Ghost mode (disabled by default).
Either way ensure you've got this one set to auto-update and the current
version is installed. While you're looking, make sure you don't have any
plugins waiting on explicit (manual) steps to finalize their updates.
|
|
||
|
No comments:
Post a Comment