#2
The Hacker News
general
July 17, 2026 at 21:20 UTC
New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
By [email protected] (The Hacker News)
AI Summary
A critical unauthenticated remote code execution flaw dubbed wp2shell was discovered in WordPress core by Adam Kues of Assetnote/Searchlight Cyber, affecting all WordPress 6.9 and 7.0 installations — no plugins required for exploitation. WordPress responded by shipping patched versions 6.9.5 and 7.0.2 and enabling forced auto-updates, but any site that hasn't received the update remains fully vulnerable to anonymous HTTP-based code execution.
Relevance score: 91.0/100
Sponsored
Protect Your Business
Expert cybersecurity solutions to safeguard your organization from evolving threats.
Get Protected →