← All stories
● Covered by 1 source · 1 reportHigh impact

Critical WordPress Core Flaw Allows Remote Code Execution by Unauthenticated Users

Aggregated by BrevFeed security · updated 2h ago
🔖 Save

A core vulnerability in WordPress allows unauthenticated attackers to run code on sites using versions 6.9.0 to 6.9.4 and 7.0.0 to 7.0.1. The issue was addressed in updates released on July 17, 2026, impacting potentially over 500 million websites.

Key points

Vulnerability Overview

WordPress has identified a critical core flaw, dubbed wp2shell, that enables unauthenticated attackers to execute arbitrary code on affected sites. This issue affects default installations of WordPress, requiring no plugins to exploit.

Affected Versions and Response

The vulnerability impacts WordPress versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. On July 17, 2026, WordPress released updates 6.9.5 and 7.0.2 to address this issue. Both versions were delivered as forced updates through WordPress's auto-update system, although it is unclear if sites with auto-updates disabled received the patches.

Background on the Flaw

Found by Adam Kues from Searchlight Cyber, the vulnerability is classified as a REST API batch-route confusion and SQL injection issue, leading to remote code execution. The batch endpoint at the core of this flaw has been part of WordPress since version 5.6.

Scope of the Issue

Approximately 500 million sites run WordPress, but the vulnerable code exists solely in versions 6.9 and later, which were released in late 2025. This makes the issue especially concerning, given the relatively short time since it was introduced.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors — check the original sources. How BrevFeed works →

Primary sources

CVE CVE-2026-90829.8 CRITICAL

Reporting from

A core vulnerability in WordPress allows unauthenticated attackers to run code on sites using versions 6.9.0 to 6.9.4 and 7.0.0 to 7.0.1. The issue was addressed in updates released on July 17, 2026, impacting potentially over 500 million websites.