Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1941+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
NEWS

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

A critical unauthenticated remote code execution vulnerability in WordPress core affects all 6.9 and 7.0 installations. WordPress force-pushed emergency patches (6.9.5 / 7.0.2) to sites via its auto-update system.

Dylan H.

News Desk

July 17, 2026
5 min read

WordPress Core RCE: No Login Required

A critical remote code execution (RCE) vulnerability in WordPress core, dubbed wp2shell, has been patched in emergency releases shipped on July 17, 2026. The flaw is severe: an attacker with no WordPress account and no prior access can send a crafted HTTP request to any vulnerable WordPress site and execute arbitrary code on the underlying server.

The bug exists in WordPress core itself — not in any plugin or theme — meaning a bare WordPress installation with zero add-ons installed was fully exploitable. Every WordPress 6.9 and 7.0 site was in the vulnerable window until patches became available.

WordPress responded by shipping versions 6.9.5 and 7.0.2 and activating its forced auto-update system, pushing patches automatically to sites that had not disabled core auto-updates.

Technical Background

WordPress security researcher Adam (The Hacker News notes the credited researcher's handle) identified the vulnerability in WordPress's request handling layer. The wp2shell designation refers to the exploit's ability to go directly from an unauthenticated web request (wp2) to an arbitrary shell command (shell).

How It Works

The vulnerability involves improper sanitization or validation in a WordPress core function that processes certain HTTP request parameters. When a specially crafted request is received, WordPress passes attacker-controlled data into a context where it can be interpreted as executable code — a classic server-side code injection pattern.

Because WordPress runs on PHP, successful exploitation gives attackers the ability to execute arbitrary PHP (and via PHP, shell commands), write files to the server, read the database credentials from wp-config.php, and deploy web shells for persistent access.

No Authentication, No Plugins Required

What makes wp2shell particularly dangerous is its pre-authentication nature combined with its presence in core:

FactorImpact
No authentication requiredAny internet-connected WordPress site is a target
WordPress core (not a plugin)43%+ of all websites on the internet are potentially affected
Zero plugins neededDefault hardening measures (disabling comments, unused features) don't help
Remote code executionFull server access, not just data exfiltration

WordPress powers approximately 43% of all websites globally. A pre-auth RCE in core represents a massive attack surface.

Affected Versions

Version BranchVulnerablePatched Version
WordPress 6.9.xYes — all 6.9.x6.9.5
WordPress 7.0.xYes — 7.0.0 through 7.0.17.0.2
WordPress <= 6.8.xNot confirmed vulnerableN/A

Sites running WordPress 6.8 and earlier should still update to the latest supported release as a general security practice.

WordPress's Emergency Response

WordPress's response included two notable actions:

1. Emergency Patch Releases

WordPress shipped 6.9.5 and 7.0.2 on July 17, 2026, describing them as security releases that all users should immediately install.

2. Forced Auto-Updates

WordPress activated its forced core auto-update mechanism — a capability used only in the most serious security situations. This automatically pushed the security update to all sites with auto-updates enabled (the WordPress default), without requiring site administrators to manually trigger the update.

Forced auto-updates are rare. WordPress has historically used them for only the most critical vulnerabilities, and their use here underscores the severity of wp2shell.

Is Your Site Updated?

Check Your Version

Log in to your WordPress admin dashboard and navigate to Dashboard → Updates. Your site is safe if it shows version 6.9.5+, 7.0.2+, or later.

Via WP-CLI:

wp core version

Verify Auto-Update Ran

If auto-updates are enabled (the default), your site likely already received the patch. Confirm in Dashboard → Updates or check your server logs for the auto-update activity.

If Auto-Updates Are Disabled

Sites with auto-updates disabled (common in managed hosting environments and development setups) did not receive the forced update automatically. Update manually:

# Via WP-CLI
wp core update
 
# Or download manually from wordpress.org and apply

Post-Patch Security Audit

Even if your site has been patched, if it was running a vulnerable version during the exposure window (any 6.9.x before 6.9.5, or 7.0.x before 7.0.2), you should audit for signs of compromise:

  1. Check for unexpected files in wp-content/uploads/, wp-content/themes/, and wp-content/plugins/ — especially .php files in upload directories
  2. Review recently modified files: find /path/to/wordpress -name "*.php" -newer /path/to/reference-file
  3. Audit administrator accounts — look for unknown admin users
  4. Review server access logs for unusual POST requests to core WordPress endpoints
  5. Scan with a security plugin such as Wordfence, WP Cerber, or Sucuri Security
  6. Check wp-config.php — verify database credentials have not been exfiltrated and changed

Common Web Shell Locations to Check

wp-content/uploads/*.php
wp-content/uploads/**/*.php
wp-includes/
wp-content/themes/[active-theme]/

Broader Context: WordPress Core Security

While WordPress's extensive plugin ecosystem is the more frequent source of vulnerabilities (WordPress plugins account for the majority of CVEs in WordPress-related advisories), core vulnerabilities carry disproportionate risk due to the sheer scale of WordPress deployments.

The last notable WordPress core RCE of comparable severity was several years ago. The wp2shell flaw, combined with WordPress's rapid response and forced auto-update deployment, is a significant moment in WordPress security history.

Key Takeaways

  1. Critical pre-auth RCE in WordPress core — no account needed, no plugins required
  2. Affects WordPress 6.9.x and 7.0.x — patch to 6.9.5 / 7.0.2 immediately
  3. WordPress force-pushed patches via auto-update — most managed sites are already patched
  4. Audit for compromise if your site ran a vulnerable version before the patch landed
  5. 43%+ of the web was in scope — expect active exploitation attempts as PoC details circulate

References

  • The Hacker News — New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
  • WordPress Security Releases 6.9.5 and 7.0.2
  • WordPress Core Security Team
  • WPScan Vulnerability Database
#WordPress#RCE#Zero Authentication#Security Updates#wp2shell#Core Vulnerability#Auto-Update

Related Articles

CISA: Microsoft SharePoint RCE Flaw Now Actively Exploited

CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation of a high-severity SharePoint...

3 min read

Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure

CVE-2026-20253, a critical unauthenticated remote code execution flaw in Splunk Enterprise, is being actively exploited in the wild just days after public...

4 min read

F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution

F5 has released emergency security updates for two critical vulnerabilities in NGINX Open Source, including a CVSS 9.2 use-after-free flaw in the HTTP/3...

3 min read
Back to all News