Security · 1h ago
Critical WordPress Core Bug Allows Unauthenticated Remote Code Execution
A critical flaw in WordPress core, tracked as wp2shell, lets unauthenticated attackers execute arbitrary code via HTTP requests. The bug affects all WordPress 6.9 and 7.0 sites, even with no plugins installed. WordPress released emergency patches 6.9.5 and 7.0.2 on Friday, with forced auto-updates enabled to protect vulnerable sites.
Meridian48 take
The forced-update mechanism is a rare and aggressive move by WordPress, underscoring the severity of a bug that could be weaponized at scale.
Read the full reporting
New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code →
The Hacker News
wordpressremote-code-execution