🔴 Critical | Source: The Hacker News
A critical unauthenticated remote code execution vulnerability, dubbed wp2shell, exists in WordPress core versions 6.9 and 7.0, meaning any site running a default installation — with no plugins — could be fully compromised via a single anonymous HTTP request. WordPress has patched the flaw in versions 6.9.5 and 7.0.2 and has pushed forced auto-updates to affected sites. The vulnerability was discovered by Adam Kues at Assetnote, the attack surface management arm of Searchlight Cyber.
Security Architect’s Take: Verify that WordPress auto-updates have successfully applied versions 6.9.5 or 7.0.2 across all managed sites and hosting environments — do not assume auto-update ran successfully, particularly on managed Kubernetes or containerised WordPress deployments where auto-update mechanisms are often disabled. Additionally, review WAF and cloud-layer rules to block anomalous unauthenticated POST requests to WordPress core endpoints as a defence-in-depth measure.
Original advisory: New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code