WordPress Core RCE: No Login Required
A critical remote code execution (RCE) vulnerability in WordPress core, dubbed wp2shell, has been patched in emergency releases shipped on July 17, 2026. The flaw is severe: an attacker with no WordPress account and no prior access can send a crafted HTTP request to any vulnerable WordPress site and execute arbitrary code on the underlying server.
The bug exists in WordPress core itself — not in any plugin or theme — meaning a bare WordPress installation with zero add-ons installed was fully exploitable. Every WordPress 6.9 and 7.0 site was in the vulnerable window until patches became available.
WordPress responded by shipping versions 6.9.5 and 7.0.2 and activating its forced auto-update system, pushing patches automatically to sites that had not disabled core auto-updates.
Technical Background
WordPress security researcher Adam (The Hacker News notes the credited researcher's handle) identified the vulnerability in WordPress's request handling layer. The wp2shell designation refers to the exploit's ability to go directly from an unauthenticated web request (wp2) to an arbitrary shell command (shell).
How It Works
The vulnerability involves improper sanitization or validation in a WordPress core function that processes certain HTTP request parameters. When a specially crafted request is received, WordPress passes attacker-controlled data into a context where it can be interpreted as executable code — a classic server-side code injection pattern.
Because WordPress runs on PHP, successful exploitation gives attackers the ability to execute arbitrary PHP (and via PHP, shell commands), write files to the server, read the database credentials from wp-config.php, and deploy web shells for persistent access.
No Authentication, No Plugins Required
What makes wp2shell particularly dangerous is its pre-authentication nature combined with its presence in core:
| Factor | Impact |
|---|---|
| No authentication required | Any internet-connected WordPress site is a target |
| WordPress core (not a plugin) | 43%+ of all websites on the internet are potentially affected |
| Zero plugins needed | Default hardening measures (disabling comments, unused features) don't help |
| Remote code execution | Full server access, not just data exfiltration |
WordPress powers approximately 43% of all websites globally. A pre-auth RCE in core represents a massive attack surface.
Affected Versions
| Version Branch | Vulnerable | Patched Version |
|---|---|---|
| WordPress 6.9.x | Yes — all 6.9.x | 6.9.5 |
| WordPress 7.0.x | Yes — 7.0.0 through 7.0.1 | 7.0.2 |
| WordPress <= 6.8.x | Not confirmed vulnerable | N/A |
Sites running WordPress 6.8 and earlier should still update to the latest supported release as a general security practice.
WordPress's Emergency Response
WordPress's response included two notable actions:
1. Emergency Patch Releases
WordPress shipped 6.9.5 and 7.0.2 on July 17, 2026, describing them as security releases that all users should immediately install.
2. Forced Auto-Updates
WordPress activated its forced core auto-update mechanism — a capability used only in the most serious security situations. This automatically pushed the security update to all sites with auto-updates enabled (the WordPress default), without requiring site administrators to manually trigger the update.
Forced auto-updates are rare. WordPress has historically used them for only the most critical vulnerabilities, and their use here underscores the severity of wp2shell.
Is Your Site Updated?
Check Your Version
Log in to your WordPress admin dashboard and navigate to Dashboard → Updates. Your site is safe if it shows version 6.9.5+, 7.0.2+, or later.
Via WP-CLI:
wp core versionVerify Auto-Update Ran
If auto-updates are enabled (the default), your site likely already received the patch. Confirm in Dashboard → Updates or check your server logs for the auto-update activity.
If Auto-Updates Are Disabled
Sites with auto-updates disabled (common in managed hosting environments and development setups) did not receive the forced update automatically. Update manually:
# Via WP-CLI
wp core update
# Or download manually from wordpress.org and applyPost-Patch Security Audit
Even if your site has been patched, if it was running a vulnerable version during the exposure window (any 6.9.x before 6.9.5, or 7.0.x before 7.0.2), you should audit for signs of compromise:
- Check for unexpected files in
wp-content/uploads/,wp-content/themes/, andwp-content/plugins/— especially.phpfiles in upload directories - Review recently modified files:
find /path/to/wordpress -name "*.php" -newer /path/to/reference-file - Audit administrator accounts — look for unknown admin users
- Review server access logs for unusual POST requests to core WordPress endpoints
- Scan with a security plugin such as Wordfence, WP Cerber, or Sucuri Security
- Check
wp-config.php— verify database credentials have not been exfiltrated and changed
Common Web Shell Locations to Check
wp-content/uploads/*.php
wp-content/uploads/**/*.php
wp-includes/
wp-content/themes/[active-theme]/
Broader Context: WordPress Core Security
While WordPress's extensive plugin ecosystem is the more frequent source of vulnerabilities (WordPress plugins account for the majority of CVEs in WordPress-related advisories), core vulnerabilities carry disproportionate risk due to the sheer scale of WordPress deployments.
The last notable WordPress core RCE of comparable severity was several years ago. The wp2shell flaw, combined with WordPress's rapid response and forced auto-update deployment, is a significant moment in WordPress security history.
Key Takeaways
- Critical pre-auth RCE in WordPress core — no account needed, no plugins required
- Affects WordPress 6.9.x and 7.0.x — patch to 6.9.5 / 7.0.2 immediately
- WordPress force-pushed patches via auto-update — most managed sites are already patched
- Audit for compromise if your site ran a vulnerable version before the patch landed
- 43%+ of the web was in scope — expect active exploitation attempts as PoC details circulate