Critical WordPress Core Flaw Allows Unauthenticated Remote Code Execution
A critical remote code execution vulnerability, dubbed wp2shell, has been discovered in WordPress core, affecting versions 6.9 and 7.0. The flaw allows unauthenticated attackers to execute arbitrary code on any WordPress site via a simple HTTP request, even on a bare installation with no plugins. WordPress released a security patch on Friday, closing the exploit window. The vulnerability was disclosed by security researchers who demonstrated the attack vector. Given WordPress powers over 40% of all websites, the potential impact is massive, though active exploitation in the wild has not yet been confirmed. Site administrators are urged to update immediately.
Global Impact
This vulnerability has significant economic and technological implications. Economically, the cost of remediation—patching, incident response, and potential data breach fallout—could run into hundreds of millions of dollars globally.