Find notable cyber news and cases, enriched with sources, timelines, and signals.

WordPress core pre-auth RCE patch bundle (6.9.5, 7.0.2)

Security Patch Release
First reported
Last updated
Happening score
H score 60
1 unique sources, 1 articles

Summary

Hide ▲

WordPress shipped 6.9.5 and 7.0.2, closing a pre-auth RCE in core for 6.9.0-6.9.4 and 7.0.0-7.0.1 sites. The update bundle also enabled forced updates through the auto-update system. Unpatched installations face code-execution risk from an anonymous request even on a default install with no plugins.

Related Happenings

SimpleHelp security update for CVE-2026-48558

Security Patch Release
H score65 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: SimpleHelp released 5.5.16 and 6.0 RC2 on June 9 to fix CVE-2026-48558, a critical OIDC authentication flaw in SimpleHelp remote management software th...

Timeline

  1. 18.07.2026 00:20 1 articles · 2h ago

    Adam Kues reports a WordPress core pre-auth RCE

    Initial Disclosure

    Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, reported a WordPress core flaw through WordPress's HackerOne program; the wp2shell writeup says the issue has no preconditions and can be exploited by an anonymous user on a default install with no plugins.

    Show sources
  2. 18.07.2026 00:20 2 articles · 2h ago

    WordPress ships 6.9.5 and 7.0.2 to close the anonymous RCE

    Mitigation Patch Update

    WordPress released 6.9.5 and 7.0.2 on July 17, 2026, closing a pre-auth RCE in WordPress core that an anonymous request can trigger against a default install with no plugins; the release also enabled forced updates through the auto-update system, covering 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1.

    Show sources