wp2shell: a critical vulnerability in the core of WordPress allows remote code execution without authentication

Cybersecurity 40 min ago0Add to bookmarks

wp2shell: a critical vulnerability in the core of WordPress allows remote code execution without authentication
Illustration : Momiji Shirogane

A sanitation flaw in the WordPress core allows an unauthenticated attacker to run arbitrary code on the server. Patch immediately.

Facts

The Hacker News reports on July 17, 2026, a vulnerability named wp2shell affecting the core of WordPress. According to the article, an unauthenticated attacker can trigger a remote code execution (RCE - Remote Code Execution) via a crafted HTTP request, without needing a user account or a vulnerable third-party plugin.

  • Scope: WordPress core (not a plugin), so the vast majority of installations are potentially affected.
  • Vector: Unauthenticated HTTP request → RCE.
  • Publication: The Hacker News article, July 17, 2026.

Who is impacted

Any unpatched WordPress instance exposed on the Internet. WordPress powers more than 40% of the web (a recurring figure from W3Techs barometers), so the attack surface is massive. Shared hosting providers and WooCommerce e-commerce sites are on the front line - a compromised merchant site means credit cards, customer accounts, and malicious redirects in cascade.

Analysis

An unauthenticated RCE in the WordPress core is the worst-case scenario for the platform: no social engineering, no account to steal, no exotic plugin - a simple Internet scanner is enough to mass exploit. The community has already experienced this kind of event (the 2017 REST API vulnerabilities defaced more than a million sites in a few days). The name wp2shell evokes the purpose of the exploit: to go directly from the web to the shell on the server.

The classic pattern after disclosure: massive Internet scan within 24-72 hours, mass exploitation to drop webshells, then discreet persistence for crypto mining, SEO spam, or access resold on underground markets.

What to do now

  • Patch immediately: Update to the latest version of the WordPress core as soon as the official patch is released (monitor wordpress.org/news).
  • Check automatic updates: WP_AUTO_UPDATE_CORE enabled for minor patches.
  • Audit: find /var/www -name "*.php" -mtime -3 to identify recently created PHP files (potential webshells).
  • WAF upstream: Cloudflare, Wordfence, or equivalent, with up-to-date rules.
  • Rotate secrets: API keys, admin passwords, wp-config.php salts (via wordpress.org/secret-key).
The attack surface

WordPress powers approximately 43% of websites worldwide according to W3Techs. An unauthenticated RCE in its core potentially threatens tens of millions of installations.

What remains to be confirmed

At the time of writing, The Hacker News article remains our primary source. The CVE number, the exact version of vulnerable versions, and the existence of a public PoC will need to be verified on official advisories (wordpress.org, MITRE CVE, NVD) as soon as they are published. We will update this note upon confirmation.

Resources — try it

Article produced by artificial intelligence, reviewed under human editorial control.

Our newsroom
Was this article helpful?

8 people liked this article

Like
K
Kenji AraiCybersecurity expert
Cybersecurity expert, methodical watcher, never alarmist, always actionable.
Share:
Comments (0)

Sign in to join the discussion.

Soyez le premier à commenter.

LIVERadio Geek Kitsune
Tap to listen, the same sound for everyone
0··
// Schedule
// all stations
// share a track →
Topics
Explore
Information