CybersecurityJuly 18, 2026· via The Hacker News

Critical WordPress flaw enables unauthenticated code execution

Critical WordPress flaw enables unauthenticated code execution

Image : The Hacker News

A critical flaw in WordPress core now enables unauthenticated attackers to run arbitrary code on vulnerable sites, with versions 6.9 and 7.0 both affected. What started as a reported issue has evolved into a high-severity vulnerability—nicknamed wp2shell—that bypasses authentication entirely, meaning even a fresh WordPress install with no plugins can be exploited via a single HTTP request.

How the attack unfolds

The vulnerability stems from improper input validation in core components, allowing malicious payloads to be processed without user credentials. Security researchers note that the flaw can trigger a persistent-object-cache condition, enabling attackers to maintain access even after initial exploitation. A working proof-of-concept has been published, confirming the feasibility of remote code execution (RCE) in default configurations.

Immediate implications for site owners

Since the flaw resides in WordPress core, the attack surface is unusually broad. Administrators running unpatched versions—especially those unaware of the new CVE identifiers—face urgent risk. The discovery comes as WordPress powers over 43% of all websites, amplifying the potential impact. Hosting providers and security teams are advised to prioritize updates and monitor for signs of compromise.

Why it matters

This flaw underscores the growing sophistication of attacks targeting widely used platforms. Unlike plugin-specific bugs, core vulnerabilities can undermine trust in WordPress itself, forcing rapid patching cycles across millions of sites. For users, the lesson is clear: automated updates are no longer optional, and manual reviews of core changes must become routine. The publication of a proof-of-concept raises the stakes, turning theoretical risks into immediate threats for the unprepared.


Source: The Hacker News. AI-assisted editorial synthesis — TechnoExpress.

Read the original source on The Hacker News →

← Back to home