WordPress core flaw lets unauthenticated attackers run arbitrary code

A pre-authentication remote code execution bug in WordPress core affects versions 6.9 and 7.0, with emergency patches released July 17 and forced updates enabled.

CSBadmin
2 Min Read

A critical pre-authentication remote code execution flaw in WordPress core, dubbed wp2shell, allows anyone with network access to run arbitrary commands on an unpatched site without needing credentials or plugins. The vulnerability affects every WordPress installation running versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1, making it one of the most consequential core flaws in recent memory.

Adam Kues at Assetnote, the attack surface management arm of Searchlight Cyber, discovered the bug and reported it through WordPress’s HackerOne program. According to the researcher’s writeup, the attack has “no preconditions and can be exploited by an anonymous user.” The root cause involves a REST API batch-route confusion combined with a SQL injection issue that chains into full remote code execution.

WordPress shipped emergency fixes on July 17, releasing versions 6.9.5 and 7.0.2. The project also enabled forced updates through its auto-update system to push the patch to as many sites as possible. It remains unclear whether that forced push reaches installations that have turned automatic updates off.

Searchlight has withheld full technical details and set up a checker at wp2shell.com so site owners can test their own instances. As a stopgap, administrators can block the /wp-json/batch/v1 endpoint at the web application firewall level, though that approach risks breaking legitimate integrations that rely on the batch API.

No exploitation attempts have been publicly reported as of July 18. However, with no CVE identifier assigned and no public signature to match, defenders have limited visibility into whether attacks are already underway. WordPress core remains open source, and the diff between patched and vulnerable versions is publicly available, putting administrators in a race against anyone examining the fix.

CSBadmin

The latest in cybersecurity news and updates.

SOURCES:The Hacker News
Share This Article
Follow:
The latest in cybersecurity news and updates.