New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
AI Generated Image

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The Hacker News technology

Key Points:

  • A critical remote code execution (RCE) vulnerability affecting WordPress core versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 was discovered by Adam Kues of Assetnote and patched in versions 6.9.5 and 7.0.2, released on July 17, 2026.
  • The flaw allows anonymous HTTP requests to execute code on a default WordPress install without plugins, with no preconditions required, making the vulnerability highly severe and easily exploitable.
  • WordPress implemented forced auto-updates to push the patch, but it remains unclear if sites with auto-updates disabled received the fix; site owners are urged to verify their WordPress version rather than assume protection.
  • Mitigation options before updating include blocking the vulnerable batch endpoint via web application firewalls, disabling the WP REST API for unauthenticated users, or using a plugin to reject anonymous requests to the batch endpoint, though these may disrupt legitimate integrations.
  • Despite the severity, no exploitation attempts have been reported as of July 18, 2026, and no CVE or CVSS score has been assigned yet, complicating automated vulnerability detection; WordPress's open-source nature means the patch also reveals the bug details, emphasizing the urgency of timely updates.

Trending Business

Trending Technology

Trending Health