Platform
wordpress
Component
hide-my-wp
Fixed in
5.4.02
CVE-2025-2056 describes a Path Traversal vulnerability discovered in the WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress. This flaw allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive data. The vulnerability affects versions from 0.0.0 up to and including 5.4.01. A patch is available in version 5.4.02.
The Path Traversal vulnerability in WP Ghost allows attackers to bypass intended access restrictions and directly access files on the server's file system. An attacker could exploit this to retrieve configuration files, database credentials, or even source code, leading to a significant compromise of the WordPress installation. The ability to read arbitrary files grants attackers a broad scope for data exfiltration and potential further exploitation, such as gaining shell access if sensitive credentials are exposed. This vulnerability is similar in impact to other Path Traversal flaws where attackers can bypass security controls to access unauthorized resources.
CVE-2025-2056 was publicly disclosed on 2025-03-14. As of this date, it is not listed on the CISA KEV catalog, and there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium, given the relatively straightforward nature of Path Traversal vulnerabilities and the wide usage of WordPress plugins.
Exploit Status
EPSS
1.29% (80% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2056 is to immediately upgrade the WP Ghost (Hide My WP Ghost) plugin to version 5.4.02 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file access permissions on the server to limit the potential damage from a successful exploit. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious path traversal patterns, such as sequences of '..' characters. After upgrading, verify the fix by attempting to access a non-public file via the vulnerable endpoint and confirming that access is denied.
Update the WP Ghost (Hide My WP Ghost) – Security & Firewall plugin to version 5.4.02 or higher to mitigate the Path Traversal vulnerability. This update fixes the issue by restricting file access and preventing unauthorized reading of sensitive files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2056 is a Path Traversal vulnerability affecting the WP Ghost plugin for WordPress, allowing attackers to read sensitive files on the server.
You are affected if you are using WP Ghost plugin versions 0.0.0 through 5.4.01. Upgrade to 5.4.02 or later to resolve the issue.
Upgrade the WP Ghost plugin to version 5.4.02 or later. Consider temporary workarounds like restricting file access permissions if immediate upgrade is not possible.
As of the public disclosure date, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official WP Ghost plugin website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.