wp2shell WordPress Core Flaw Enables Remote Code Execution

The wp2shell WordPress core flaw has caused urgent concern throughout the web security community. This vulnerability allows an unauthenticated attacker to execute code remotely on any WordPress site, even those without plugins. Given WordPress’s status as the world’s most popular CMS, the flaw’s reach is significant and immediate action is required.

wp2shell WordPress Core Flaw: What Happened?

On Friday, security researchers at Assetnote, a division of Searchlight Cyber, disclosed a critical vulnerability dubbed wp2shell affecting WordPress Core. The flaw was present in all 6.9 and 7.0 series installations of WordPress Core, making every site running these versions vulnerable. Crucially, the vulnerability does not require any installed plugins or themes to be exploited, leaving even default installations exposed.

The issue is triggered by a specially crafted anonymous HTTP request. An attacker can send this request to a vulnerable site and achieve arbitrary code execution – meaning they can run any command or software of their choice on the server. This makes the vulnerability extremely dangerous, as it opens the door to complete site takeover, data theft, malware installation or use as part of a botnet.

WordPress responded rapidly on Friday by releasing patched versions 6.9.5 and 7.0.2. To address the scale of the threat, the WordPress security team enabled forced auto-updates for all affected sites. This means that most active WordPress sites should already have received the update. However, auto-updates can sometimes fail or be disabled, so site owners are strongly encouraged to verify their current WordPress version and manually update if necessary.

Technical Details of the Vulnerability

Assetnote’s Adam Kues discovered the vulnerability in the core codebase of WordPress, not in any plugin or theme. This makes it far more widespread than many previous WordPress flaws, which often require specific third-party components to be present. The flaw allows an attacker to upload or inject code simply by sending a crafted anonymous HTTP request to the site. No authentication is required, so any public-facing WordPress instance running 6.9.x or 7.0.x prior to the patched versions is at risk.

The attack chain is as follows:

  • The attacker identifies a target site running a vulnerable version of WordPress Core.
  • They send a specially crafted HTTP request to the site’s public endpoint.
  • The request exploits a flaw in WordPress’s request handling, enabling the attacker to execute arbitrary code on the server.
  • Once code execution is achieved, the attacker can deploy malware, steal data or create backdoors for persistent access.

As the flaw is in the core, even a fresh WordPress install with no customisation or plugins is vulnerable if it is running an unpatched version. This dramatically increases the number of potentially affected sites.

Timeline and Affected Versions

The vulnerability was discovered by Assetnote and reported to WordPress prior to public disclosure. WordPress released the security patches on Friday, rolling out versions 6.9.5 and 7.0.2 with the fix. At the same time, the WordPress team enabled forced auto-updates through their update system to accelerate adoption of the patch.

The affected versions are:

  • All WordPress 6.9.x versions prior to 6.9.5
  • All WordPress 7.0.x versions prior to 7.0.2

Sites running older major releases may also be at risk if backported patches have not been applied. The scope of the issue is large, as millions of sites run these WordPress versions. The forced update process began immediately after patch release, but site owners are urged to manually confirm their update status.

Exploitation Status and Observed Attacks

As of the initial disclosure, there were no widespread reports of mass exploitation, but given the simplicity of the attack and the reach of WordPress, exploitation attempts are expected to rise rapidly. Public proof-of-concept exploit code is likely to appear soon, if it has not already. Attackers can easily scan the internet for sites running vulnerable WordPress versions and attempt automated exploitation at scale.

The WordPress team’s use of forced updates is a positive step, but some sites may not have received the patch due to custom update settings, access restrictions or underlying technical issues. Threat actors often move quickly after critical flaws are announced, so time is of the essence for site administrators.

Why wp2shell Matters for Organisations

This core flaw stands out due to its potential impact. Unauthenticated code execution means an attacker can take complete control of a website, steal sensitive information or use the site for malicious campaigns. With WordPress powering a huge portion of business websites, especially in the SME sector, even organisations with limited customisation or no plugins are at risk.

What Organisations Should Do Now

  • Immediately check your site’s WordPress version. Only 6.9.5 or 7.0.2 (or later) are safe from this flaw.
  • Apply the patch manually if your site has not auto-updated.
  • Review your access logs for signs of unexpected anonymous requests or suspicious activity since the disclosure date.
  • Ensure that regular, tested backups are in place in case recovery is needed.

Prompt verification and patching is the most effective way to prevent exploitation of the wp2shell flaw. Organisations should act now to confirm their WordPress sites are secure.

Originally reported by thehackernews.com.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins

Related CyPro Services

  • Managed Detection and Response (MDR)

    Managed Detection and Response (MDR) is an end-to-end managed service designed to help organisations detect, analyse and respond to cyber threats quickly and effectively. It...
    View Service
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call