Critical WordPress Core Vulnerability Allows Unauthenticated Remote Code Execution via wp2shell
A critical WordPress core vulnerability (wp2shell) enables unauthenticated remote code execution through a chained SQL injection and REST API flaw, affecting versions 6.9 and 7.0 prior to patches. The vulnerability, disclosed with CVEs and a public exploit, highlights the risks of default configurations and the urgency of applying updates.
Updated July 18, 2026: the two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it.
An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until
*** END OF TRANSMISSION ***