Cybersecurity 40 min ago0Add to bookmarks

A sanitation flaw in the WordPress core allows an unauthenticated attacker to run arbitrary code on the server. Patch immediately.
The Hacker News reports on July 17, 2026, a vulnerability named wp2shell affecting the core of WordPress. According to the article, an unauthenticated attacker can trigger a remote code execution (RCE - Remote Code Execution) via a crafted HTTP request, without needing a user account or a vulnerable third-party plugin.
Any unpatched WordPress instance exposed on the Internet. WordPress powers more than 40% of the web (a recurring figure from W3Techs barometers), so the attack surface is massive. Shared hosting providers and WooCommerce e-commerce sites are on the front line - a compromised merchant site means credit cards, customer accounts, and malicious redirects in cascade.
An unauthenticated RCE in the WordPress core is the worst-case scenario for the platform: no social engineering, no account to steal, no exotic plugin - a simple Internet scanner is enough to mass exploit. The community has already experienced this kind of event (the 2017 REST API vulnerabilities defaced more than a million sites in a few days). The name wp2shell evokes the purpose of the exploit: to go directly from the web to the shell on the server.
The classic pattern after disclosure: massive Internet scan within 24-72 hours, mass exploitation to drop webshells, then discreet persistence for crypto mining, SEO spam, or access resold on underground markets.
WP_AUTO_UPDATE_CORE enabled for minor patches.find /var/www -name "*.php" -mtime -3 to identify recently created PHP files (potential webshells).wp-config.php salts (via wordpress.org/secret-key).WordPress powers approximately 43% of websites worldwide according to W3Techs. An unauthenticated RCE in its core potentially threatens tens of millions of installations.
At the time of writing, The Hacker News article remains our primary source. The CVE number, the exact version of vulnerable versions, and the existence of a public PoC will need to be verified on official advisories (wordpress.org, MITRE CVE, NVD) as soon as they are published. We will update this note upon confirmation.
Article produced by artificial intelligence, reviewed under human editorial control.