How an Unauthenticated Request Can Hijack Your WordPress Site

ยท
Listen to this article~5 min
How an Unauthenticated Request Can Hijack Your WordPress Site

A critical WordPress core flaw allows unauthenticated attackers to run code on any site running version 6.9 or 7.0. With a public proof-of-concept available, update immediately to protect your site from remote code execution attacks.

Updated July 18, 2026: the two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it. You might think your WordPress site is safe because you don't use any plugins. But here's the thing: this bug lives in WordPress core itself. That means even a completely bare installation โ€” no themes, no plugins, nothing โ€” is vulnerable to a remote code execution attack. An anonymous HTTP request can run arbitrary code on your site. No login required. No credentials needed. Just a single request sent by anyone on the internet. And it works on every WordPress version 6.9 and 7.0 that wasn't updated before the patch was released. ### What Makes This Exploit So Dangerous This isn't your average vulnerability. Most WordPress flaws require some kind of user interaction or authenticated access. But this one is different. It's a pre-auth remote code execution bug, which is about as serious as it gets. - No authentication needed: attackers can target any site without knowing a username or password. - Core-level flaw: it's in WordPress core, so it affects every site running the affected versions. - Public proof-of-concept: a working exploit is already circulating, making it easier for anyone with basic skills to launch an attack. The fact that a proof-of-concept is public means the window for patching is effectively closed. If you haven't updated yet, your site is at risk right now. ### The Persistent Object Cache Angle One thing that caught our attention is the persistent-object-cache condition. Researchers found that the exploit works more reliably when a persistent object cache โ€” like Redis or Memcached โ€” is enabled. That's unusual because caching is generally seen as a security plus, not a liability. But here's the twist: the bug leverages how WordPress handles cached data during certain operations. If your site uses a persistent object cache, the attacker's payload can be stored and executed across multiple requests, making the attack more devastating. ### What You Should Do Right Now If you're running WordPress 6.9 or 7.0, update immediately. The patched versions are already available. Don't wait for your hosting provider to do it โ€” take control yourself. - Log into your WordPress admin dashboard. - Go to Dashboard > Updates. - Click "Update Now" to install the latest version. - Verify the update by checking your site's version number. After updating, review your site for any signs of compromise. Check for unfamiliar admin users, suspicious files in your uploads directory, and unexpected database entries. ### How Antidetect Browsers Help Keep You Safe This might sound unrelated, but stick with me. Antidetect browsers โ€” like the ones we review at Antidetectbrowsershub โ€” are designed to protect your online identity by masking browser fingerprints. They're commonly used by privacy-conscious professionals. But here's a lesser-known benefit: many antidetect browsers include built-in security features that can help protect against web-based attacks. For example, some can block malicious JavaScript execution, prevent unauthorized data exfiltration, and alert you to suspicious network requests. While an antidetect browser won't directly patch your WordPress installation, it can act as an additional layer of defense against exploits that target your browsing session or attempt to steal your admin credentials. ### Final Thoughts This WordPress core flaw is a serious wake-up call. It proves that no software is immune to critical vulnerabilities, even when it's maintained by a massive open-source community. The fact that a bare install is exploitable should make every site owner pay attention. Update your sites, monitor for suspicious activity, and consider using additional security tools โ€” including antidetect browsers โ€” to reduce your attack surface. The threat landscape is evolving fast, and staying ahead means being proactive, not reactive.