The Hacker NewsSaturday · July 18, 2026FREE

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

wordpresssecurityrcevulnerability

A critical security flaw in WordPress core, named wp2shell, has been disclosed. The vulnerability enables unauthenticated attackers to run arbitrary code on vulnerable WordPress installations. The source, The Hacker News, reported the issue on July 17, 2026, but did not specify the affected WordPress versions or provide a CVE identifier. The article does not mention any patch release or workaround from the WordPress security team. This lack of remediation details leaves site administrators exposed without clear steps to mitigate the risk. The vulnerability's name suggests it may involve shell access, but the source does not elaborate on the attack vector or exploitation method. No proof-of-concept code or active exploitation was reported in the source. The disclosure appears to be a preliminary alert, with further details expected from the WordPress project or security researchers.

// why it matters

Unauthenticated remote code execution in WordPress core puts millions of sites at immediate risk.

Sources

Primary · The Hacker News
▸ Read original at thehackernews.com

Like this? Get the next digest.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code — aigest.dev