WordPress has pushed emergency patches after researchers disclosed a critical core vulnerability that let unauthenticated attackers execute arbitrary code on affected sites using nothing more than a crafted HTTP request.

The flaw, referred to as wp2shell, lives in WordPress core itself rather than in a plugin or theme, meaning even a fresh, unmodified installation with no third-party extensions was exploitable. Any site running WordPress 6.9 or 7.0 was considered at risk until the fixes shipped.

Adam Kues of Assetnote, the attack surface management arm of Searchlight Cyber, discovered the vulnerability and reported it to the WordPress security team.

Emergency Response

WordPress released versions 6.9.5 and 7.0.2 to address the issue. Given the severity, unauthenticated remote code execution requiring no user interaction, the WordPress team enabled forced updates through its built-in auto-update mechanism, pushing the fix to affected installations automatically rather than waiting for administrators to update manually.

This kind of forced rollout is reserved for the most serious core vulnerabilities, since WordPress powers a substantial share of websites globally and an unauthenticated code execution bug in core represents one of the most dangerous classes of flaw the platform can face.

What Site Owners Should Do

  • Confirm your site has been updated to 6.9.5 or 7.0.2, particularly if auto-updates are disabled or managed by a third party
  • Check server and access logs for unusual POST requests or unexpected file writes around the disclosure window
  • Review file integrity on WordPress installations that may have been running vulnerable versions before the patch propagated
  • Ensure auto-updates are enabled going forward to receive future forced security patches promptly

No further technical details, such as the specific request pattern or affected code path, were disclosed publicly at the time of the advisory, likely to limit exploitation while sites complete the update cycle.