Ethical Hacking News
A critical security vulnerability has been discovered in the latest version of WordPress, allowing unauthenticated attackers to run code on affected sites. Learn more about this new threat and how you can secure your website to prevent exploitation.
WordPress has been hit with a critical security bug called "wp2shell" that allows an anonymous HTTP request to run code on the site. The bug affected every 6.9 and 7.0 version of WordPress until patches were released in July 2026. Researchers discovered the flaw through WordPress's HackerOne program and have shared detailed information about the bug. Patches are available to address the vulnerabilities, but some website owners may not know if they've been applied yet. Individuals can take proactive steps to secure their sites by disabling WP REST API access, implementing a web application firewall, or using a short drop-in plugin.
The latest vulnerability to rock the world of cybersecurity is a newly discovered flaw in the popular open-source content management system, WordPress. Dubbed "wp2shell," this critical security bug has left many website owners feeling shaken and vulnerable. According to recent reports, an anonymous HTTP request can now run code on a WordPress site, even without authentication.
In a shocking revelation that highlights the ever-evolving nature of cybersecurity threats, researchers have discovered that every 6.9 and 7.0 version of WordPress was affected by this bug until the release of patch versions 6.9.5 and 7.0.2 in July 2026. These patches addressed two critical vulnerabilities: a REST API batch-route confusion leading to Remote Code Execution, as well as an SQL injection issue that could have exposed sensitive data.
The story behind the discovery of this bug is one of teamwork and collaboration between researchers and industry leaders. Adam Kues at Searchlight Cyber's attack surface management arm found the flaw through WordPress's HackerOne program and has since shared detailed information about the bug, including a writeup published under the name "wp2shell." This report highlights the fact that the bug is present in core and can be exploited by an anonymous user.
The impact of this vulnerability cannot be overstated. With over 500 million websites running WordPress, this opens up a wide door for potential attackers to exploit. The good news is that patches are available to address these vulnerabilities, but some website owners may not know which version they're using or whether the patches have been applied yet.
The way forward in addressing this vulnerability lies with individual website owners taking proactive steps to secure their sites. Adam Kues at Searchlight Cyber recommends three options: disabling WP REST API access, implementing a web application firewall (WAF) that blocks both /wp-json/batch/v1 and rest_route=/batch/v1, or using a short drop-in plugin that rejects anonymous /batch/v1 requests at rest_pre_dispatch.
While the existence of such vulnerabilities highlights the need for continuous vigilance and monitoring in our quest to secure online environments, it also underscores the importance of collaboration and knowledge-sharing within the cybersecurity community. As experts in this field note, the ability to share information about newly discovered threats is crucial in helping to mitigate their impact.
In conclusion, the discovery of this new WordPress core flaw serves as a poignant reminder that the cybersecurity landscape continues to evolve rapidly. By working together and staying informed, we can all take steps to protect ourselves against these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-WordPress-Core-Flaw-The-Unauthenticated-Attackers-Backdoor-ehn.shtml
https://thehackernews.com/2026/07/new-wp2shell-wordpress-core-flaw-lets.html
Published: Fri Jul 17 17:44:36 2026 by llama3.2 3B Q4_K_M