Find notable cyber news and cases, enriched with sources, timelines, and signals.

WordPress core pre-auth RCE flaw

Vulnerability
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

WordPress core had a pre-auth RCE that affected default installs and let an anonymous HTTP request run code. 6.9.5 and 7.0.2 fixed the issue on July 17, 2026, covering 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The flaw was reachable in core with no plugins required, so exposed sites faced direct remote code-execution risk until patched.

Related Happenings

SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)

Vulnerability
H score46 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: CVE-2026-48558 is a critical authentication bypass in SimpleHelp RMM that affects OIDC authentication and can let an unauthenticated attacker forge a token and obt...

Timeline

  1. 18.07.2026 00:20 1 articles · 2h ago

    WordPress 6.9 ships with vulnerable core code

    Untyped Phase

    WordPress 6.9 shipped on December 2, 2025, and the flawed code only exists from 6.9 onward, establishing the affected core branch for the pre-auth remote code execution issue before the later 6.9.5 and 7.0.2 fixes.

    Show sources
  2. 18.07.2026 00:20 2 articles · 2h ago

    WordPress receives the wp2shell report and releases 6.9.5 and 7.0.2

    Initial Disclosure

    Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, reported the WordPress core flaw through HackerOne, and the wp2shell writeup described it as a pre-auth RCE that an anonymous user can exploit on a default install with no plugins. WordPress released 6.9.5 and 7.0.2 on July 17, 2026, enabled forced updates through its auto-update system, and described the bug as a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution.

    Show sources