This WordPress Core Bug Lets Anyone Run Code on Your Site โ€” Here's What to Do

ยท
Listen to this article~5 min
This WordPress Core Bug Lets Anyone Run Code on Your Site โ€” Here's What to Do

A critical WordPress core flaw allows unauthenticated attackers to run code on any site running version 6.9 or 7.0. Emergency patches are out, including forced auto-updates. Learn what happened and how to protect your site.

If you run a WordPress site, you just got a serious wake-up call. A newly discovered flaw in WordPress core means that an anonymous HTTP request can execute malicious code on your server. No plugins required. No special access. Just a bare installation of WordPress is enough to be vulnerable. ### The Flaw in Plain English Security researcher Adam Kues, working with Assetnote (part of Searchlight Cyber's attack surface management arm), found the vulnerability and reported it responsibly. The bug affects every WordPress site running version 6.9 or 7.0. That's tens of millions of sites, from personal blogs to major e-commerce stores. Here's the scary part: the exploit doesn't need authentication. Anyone with an internet connection can send a crafted HTTP request and potentially take over your site. Think of it like leaving your front door unlocked, but instead of a physical key, the attacker just needs to whisper the right password through the mail slot. ### The Fix That Was Forced on Everyone On Friday, WordPress shipped emergency updates: version 6.9.5 for the 6.9 branch and 7.0.2 for the 7.0 branch. But they didn't just make the update available. They enabled what they call "forced updates" through their auto-update system. This means many sites got patched automatically, even if the admin had turned off auto-updates. - **Version 6.9.5** fixes the flaw for sites on the 6.9 branch - **Version 7.0.2** does the same for the 7.0 branch - **Forced updates** mean the patch was pushed to millions of sites without admin action ### Why This Matters to You You might think, "I'm just a small blog. Why would anyone target me?" But attackers don't care about your content. They care about your server. Once they gain access, they can: - Install malware that turns your site into a spam distributor - Steal visitor data, including email addresses and passwords - Use your server to launch attacks on other sites - Hold your site for ransom Even a bare WordPress install with zero plugins is exploitable. That's what makes this bug so dangerous. It's not a plugin vulnerability that only affects certain configurations. It's in the core code that every WordPress site relies on. ### What You Should Do Right Now First, check your WordPress version. If you're on 6.9.x, make sure you're at 6.9.5 or higher. If you're on 7.0.x, you need 7.0.2 or higher. You can find your version in the admin dashboard under "Dashboard" > "Updates." If you haven't updated yet, do it immediately. Even if you disabled auto-updates, the forced update system may have already patched you. But don't assume. Verify. Second, review your site's security logs. Look for any unusual HTTP requests, especially POST requests to wp-admin/admin-ajax.php or similar endpoints. If you see something suspicious, change all your passwords and consider restoring from a backup made before the vulnerability was disclosed. Third, consider adding an extra layer of security. A web application firewall (WAF) can block malicious requests before they reach your WordPress installation. Many hosting providers offer this as a built-in feature. ### The Bigger Picture This incident highlights a fundamental truth about running a website: no software is perfect. Even WordPress, which powers over 40% of the web, has critical flaws. The key is how quickly you respond when a patch becomes available. WordPress's forced update system is controversial. Some admins prefer to control when updates happen, especially on mission-critical sites. But in cases like this, where the vulnerability is actively being exploited, forced updates can save thousands of sites from compromise. For now, breathe easy if you're already patched. And take this as a reminder to stay vigilant. The next bug might not get the same urgent response.