Search criteria
4 vulnerabilities found for WP Ghost (Hide My WP Ghost) – Security & Firewall by johndarrel
CVE-2025-2056 (GCVE-0-2025-2056)
Vulnerability from cvelistv5 – Published: 2025-03-14 04:22 – Updated: 2025-03-14 13:45
VLAI?
Title
WP Ghost <= 5.4.01 - Unauthenticated Limited File Read
Summary
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
Severity ?
7.5 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| johndarrel | WP Ghost (Hide My WP Ghost) – Security & Firewall |
Affected:
* , ≤ 5.4.01
(semver)
|
Credits
Michael Mazzolini
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T13:45:05.965351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T13:45:48.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall",
"vendor": "johndarrel",
"versions": [
{
"lessThanOrEqual": "5.4.01",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T04:22:34.842Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f43db496-80ea-442c-9417-7aa03ec95f02?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.4.02/models/Files.php#L336"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-05T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-03-13T16:21:37.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Ghost \u003c= 5.4.01 - Unauthenticated Limited File Read"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2056",
"datePublished": "2025-03-14T04:22:34.842Z",
"dateReserved": "2025-03-06T15:06:51.356Z",
"dateUpdated": "2025-03-14T13:45:48.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13794 (GCVE-0-2024-13794)
Vulnerability from cvelistv5 – Published: 2025-02-12 07:35 – Updated: 2025-02-18 17:40
VLAI?
Title
Hide My WP Ghost – Security & Firewall <= 5.3.02 - Unauthenticated Login Page Disclosure
Summary
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location.
Severity ?
5.3 (Medium)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| johndarrel | WP Ghost (Hide My WP Ghost) – Security & Firewall |
Affected:
* , ≤ 5.3.02
(semver)
|
Credits
Nicholas Mun
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13794",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:52:58.841830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:40:12.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall",
"vendor": "johndarrel",
"versions": [
{
"lessThanOrEqual": "5.3.02",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicholas Mun"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T07:35:39.178Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9effa526-7454-4490-9bf4-0605254d6625?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3235271%40hide-my-wp\u0026new=3235271%40hide-my-wp\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-11T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Hide My WP Ghost \u2013 Security \u0026 Firewall \u003c= 5.3.02 - Unauthenticated Login Page Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13794",
"datePublished": "2025-02-12T07:35:39.178Z",
"dateReserved": "2025-01-29T21:07:16.788Z",
"dateUpdated": "2025-02-18T17:40:12.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2056 (GCVE-0-2025-2056)
Vulnerability from nvd – Published: 2025-03-14 04:22 – Updated: 2025-03-14 13:45
VLAI?
Title
WP Ghost <= 5.4.01 - Unauthenticated Limited File Read
Summary
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
Severity ?
7.5 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| johndarrel | WP Ghost (Hide My WP Ghost) – Security & Firewall |
Affected:
* , ≤ 5.4.01
(semver)
|
Credits
Michael Mazzolini
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T13:45:05.965351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T13:45:48.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall",
"vendor": "johndarrel",
"versions": [
{
"lessThanOrEqual": "5.4.01",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T04:22:34.842Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f43db496-80ea-442c-9417-7aa03ec95f02?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.4.02/models/Files.php#L336"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-05T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-03-13T16:21:37.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Ghost \u003c= 5.4.01 - Unauthenticated Limited File Read"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2056",
"datePublished": "2025-03-14T04:22:34.842Z",
"dateReserved": "2025-03-06T15:06:51.356Z",
"dateUpdated": "2025-03-14T13:45:48.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13794 (GCVE-0-2024-13794)
Vulnerability from nvd – Published: 2025-02-12 07:35 – Updated: 2025-02-18 17:40
VLAI?
Title
Hide My WP Ghost – Security & Firewall <= 5.3.02 - Unauthenticated Login Page Disclosure
Summary
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location.
Severity ?
5.3 (Medium)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| johndarrel | WP Ghost (Hide My WP Ghost) – Security & Firewall |
Affected:
* , ≤ 5.3.02
(semver)
|
Credits
Nicholas Mun
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13794",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:52:58.841830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:40:12.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall",
"vendor": "johndarrel",
"versions": [
{
"lessThanOrEqual": "5.3.02",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicholas Mun"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T07:35:39.178Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9effa526-7454-4490-9bf4-0605254d6625?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3235271%40hide-my-wp\u0026new=3235271%40hide-my-wp\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-11T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Hide My WP Ghost \u2013 Security \u0026 Firewall \u003c= 5.3.02 - Unauthenticated Login Page Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13794",
"datePublished": "2025-02-12T07:35:39.178Z",
"dateReserved": "2025-01-29T21:07:16.788Z",
"dateUpdated": "2025-02-18T17:40:12.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}