Home / Jul 18, 2026 / Story
0
#2 The Hacker News general July 17, 2026 at 21:20 UTC

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

By [email protected] (The Hacker News)

AI Summary

A critical unauthenticated remote code execution flaw dubbed wp2shell was discovered in WordPress core by Adam Kues of Assetnote/Searchlight Cyber, affecting all WordPress 6.9 and 7.0 installations — no plugins required for exploitation. WordPress responded by shipping patched versions 6.9.5 and 7.0.2 and enabling forced auto-updates, but any site that hasn't received the update remains fully vulnerable to anonymous HTTP-based code execution.

Relevance score: 91.0/100

# More from July 18