CVE-2025-2056: WP Ghost <= 5.4.01 - Unauthenticated Limited File Read
First published: Fri Mar 14 2025(Updated: )
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Hide My WP Ghost | <=5.4.01 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-2056?
CVE-2025-2056 is classified as a medium severity vulnerability due to its potential for unauthorized file access.
How do I fix CVE-2025-2056?
To fix CVE-2025-2056, you should update the WP Ghost (Hide My WP Ghost) plugin to version 5.4.02 or later.
Who is affected by CVE-2025-2056?
Users of the WP Ghost (Hide My WP Ghost) plugin for WordPress versions up to and including 5.4.01 are affected by CVE-2025-2056.
What kind of attack can exploit CVE-2025-2056?
CVE-2025-2056 can be exploited by unauthenticated attackers to perform a Path Traversal attack, allowing them to read sensitive files.
Is there a workaround for CVE-2025-2056 if I cannot update?
There are no recommended workarounds for CVE-2025-2056; updating to the latest version is the best course of action.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/references
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/source
- agent/severity
- agent/author
- agent/tags
- agent/event
- vendor/wp ghost
- canonical/hide my wp ghost