WordPress fixed a pre-auth remote code execution flaw in core that could be triggered by an anonymous HTTP request on default installs, affecting versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. Administrators should verify their actual version and update immediately, since the issue has no CVE yet and can also be mitigated by blocking access to the batch endpoint. #WordPress #wp2shell #Assetnote #SearchlightCyber
Keypoints
- An anonymous HTTP request can trigger code execution on WordPress core.
- The flaw affects default installs with no plugins on WordPress 6.9 and 7.0 releases.
- WordPress released 6.9.5 and 7.0.2 to fix the issue on July 17, 2026.
- Searchlight Cyberβs Adam Kues reported the bug through WordPressβs HackerOne program.
- Temporary mitigations include blocking the batch endpoint, disabling REST API access, or using a drop-in plugin.
Read More: https://thehackernews.com/2026/07/new-wp2shell-wordpress-core-flaw-lets.html