Unauthenticated WordPress bug lets attackers run arbitrary code
2026-07-18
Silence is the dangerous part here. The wp2shell flaw turns a default WordPress core install into an execution host for arbitrary code, no plugin or prior access required, giving anonymous attackers a straight path into the server process.

What makes wp2shell stand out is its position inside core request handling, where input validation and capability checks normally enforce a clean separation between anonymous traffic and privileged operations, yet a logic error lets crafted requests reach code paths that should never be exposed pre authentication. Security engineers describe it as a pre auth remote code execution condition, because the exploit chain completes before any user identity is verified or any session token is created.
The fix is blunt and necessary. WordPress releases labeled 6.9.5 and 7.0.2 tighten parameter sanitization, harden capability checks, and close the specific invocation route that wp2shell abused, altering core functions so that attacker controlled data can no longer reach dynamic code evaluation or file include operations.
Site operators now face a simple tradeoff. Patch immediately to restore a meaningful security boundary between unauthenticated requests and the PHP engine, or leave wp2shell exposed and accept that a default, unmodified installation can be turned into an entry point for persistent compromise with no visible warning.
Loading...