New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

https://thehackernews.com/2026/07/new-wp2shell-wordpress-core-flaw-lets.html

Publish Date: 2026-07-17 17:20:00

Source Domain: thehackernews.com

Swati KhandelwalJul 17, 2026Vulnerability / Web Security

An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable.

Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system.

Adam Kues at Assetnote, Searchlight Cyber’s attack surface management arm, found the flaw and reported it through WordPress’s HackerOne program. The writeup, published under the name wp2shell, says the attack has “no preconditions and can be exploited by an anonymous user.”

The firm is sitting on the technical details for now and has put up a checker at wp2shell.com instead, so owners can test their own instance.

WordPress released 6.9.5 and 7.0.2 on July 17, 2026, closing a pre-auth RCE in core that an anonymous request can trigger against a default install with no plugins. Two ranges are affected:

  • 6.9.0 through 6.9.4, fixed in 6.9.5
  • 7.0.0 through 7.0.1, fixed in 7.0.2

WordPress has not said whether the forced push reaches sites that turned auto-updates off. Check what you are actually running rather than assume it landed.

7.1 beta2 carries the same fix. Sites still on 6.8 have an update waiting too, but 6.8.6 is for the second SQL injection bug in the same round, reported by a different team.

Searchlight’s post estimates that over 500 million websites run WordPress. That figure is the total install base, not the vulnerable population: the flawed code only exists from 6.9 onward, and 6.9 shipped on December 2, 2025. So every affected site is running a release less than eight months old, and neither advisory says how many sites that covers.

WordPress is more forthcoming about the bug class than the researcher is. Its release post describes Kues’s finding as “a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution.” The release covers one critical and one high…

Source