New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
Jul 17, 2026
Vulnerability / Web Security
An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system. Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, found the flaw and reported it through WordPress's HackerOne program . The writeup , published under the name wp2shell , says the attack has "no preconditions and can be exploited by an anonymous user." The firm is sitting on the technical details for now and has put up a checker at wp2shell.com instead, so owners can test their own instance. WordPress released 6.9.5 and 7.0.2 on July 17, 2026, closing a pre-auth RCE in core that an anonymous request can trigger against a default install with no plugins. Two ranges are affected: 6.9.0 through 6.9.4, fixed in 6.9.5 7.0.0 through 7.0.1, fix...