WordPress core pre-auth RCE patch bundle (6.9.5, 7.0.2)
Security Patch Release
Summary
Hide ▲
Show ▼
WordPress shipped 6.9.5 and 7.0.2, closing a pre-auth RCE in core for 6.9.0-6.9.4 and 7.0.0-7.0.1 sites. The update bundle also enabled forced updates through the auto-update system. Unpatched installations face code-execution risk from an anonymous request even on a default install with no plugins.
Related Happenings
SimpleHelp security update for CVE-2026-48558
Security Patch Release
H score65
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
SimpleHelp released 5.5.16 and 6.0 RC2 on June 9 to fix CVE-2026-48558, a critical OIDC authentication flaw in SimpleHelp remote management software th...
SimpleHelp security update for CVE-2026-48558
Security Patch ReleaseAbout this happening: SimpleHelp released 5.5.16 and 6.0 RC2 on June 9 to fix CVE-2026-48558, a critical OIDC authentication flaw in SimpleHelp remote management software th...
Timeline
-
18.07.2026 00:20 1 articles · 2h ago
Adam Kues reports a WordPress core pre-auth RCE
Initial DisclosureAdam Kues at Assetnote, Searchlight Cyber's attack surface management arm, reported a WordPress core flaw through WordPress's HackerOne program; the wp2shell writeup says the issue has no preconditions and can be exploited by an anonymous user on a default install with no plugins.
Show sources
- New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code — thehackernews.com — 18.07.2026 00:20
-
18.07.2026 00:20 2 articles · 2h ago
WordPress ships 6.9.5 and 7.0.2 to close the anonymous RCE
Mitigation Patch UpdateWordPress released 6.9.5 and 7.0.2 on July 17, 2026, closing a pre-auth RCE in WordPress core that an anonymous request can trigger against a default install with no plugins; the release also enabled forced updates through the auto-update system, covering 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1.
Show sources
- New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code — thehackernews.com — 18.07.2026 00:20
- New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code — thehackernews.com — 18.07.2026 00:20