Uncategorized

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable.

Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system.

Adam Kues at Assetnote, Searchlight Cyber’s attack surface management arm, found the flaw and reported

Ready to get started?

Let's discuss how we can protect your organization. Book a free consultation with our security experts today.

Get Your Free Report

Enter your details for instant access to the full NIS2 analysis.

What you'll receive:
  • 42-page sector analysis
  • Compliance checklists & frameworks
  • Penalty & enforcement data 2026
Cypro Report Download
Your data is secure. No spam, unsubscribe anytime.