WordPress core pre-auth RCE flaw
Vulnerability
Summary
Hide ▲
Show ▼
WordPress core had a pre-auth RCE that affected default installs and let an anonymous HTTP request run code. 6.9.5 and 7.0.2 fixed the issue on July 17, 2026, covering 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The flaw was reachable in core with no plugins required, so exposed sites faced direct remote code-execution risk until patched.
Related Happenings
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
Vulnerability
H score46
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
CVE-2026-48558 is a critical authentication bypass in SimpleHelp RMM that affects OIDC authentication and can let an unauthenticated attacker forge a token and obt...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
VulnerabilityAbout this happening: CVE-2026-48558 is a critical authentication bypass in SimpleHelp RMM that affects OIDC authentication and can let an unauthenticated attacker forge a token and obt...
Timeline
-
18.07.2026 00:20 1 articles · 2h ago
WordPress 6.9 ships with vulnerable core code
Untyped PhaseWordPress 6.9 shipped on December 2, 2025, and the flawed code only exists from 6.9 onward, establishing the affected core branch for the pre-auth remote code execution issue before the later 6.9.5 and 7.0.2 fixes.
Show sources
- New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code — thehackernews.com — 18.07.2026 00:20
-
18.07.2026 00:20 2 articles · 2h ago
WordPress receives the wp2shell report and releases 6.9.5 and 7.0.2
Initial DisclosureAdam Kues at Assetnote, Searchlight Cyber's attack surface management arm, reported the WordPress core flaw through HackerOne, and the wp2shell writeup described it as a pre-auth RCE that an anonymous user can exploit on a default install with no plugins. WordPress released 6.9.5 and 7.0.2 on July 17, 2026, enabled forced updates through its auto-update system, and described the bug as a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution.
Show sources
- New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code — thehackernews.com — 18.07.2026 00:20
- New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code — thehackernews.com — 18.07.2026 00:20