This WordPress Core Flaw Lets Attackers Run Code Without a Login

ยท
Listen to this article~3 min
This WordPress Core Flaw Lets Attackers Run Code Without a Login

Updated July 18, 2026: Two WordPress core flaws now have CVE IDs, a working proof-of-concept is public, and every site running 6.9 or 7.0 is vulnerable to unauthenticated code execution via HTTP request.

Updated July 18, 2026: The two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it. An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until the patch dropped. ### What Makes This Bug So Dangerous? This isn't your typical plugin vulnerability. It lives in WordPress core itself, which means even a fresh installation with no extra plugins is completely exposed. Attackers don't need a username or password. They just send a specially crafted HTTP request, and boom โ€” they can execute arbitrary code on your server. Think of it like a locked front door that suddenly opens when someone knocks a specific rhythm. No key needed. No alarm triggered. Just a quiet knock and full access. ### Who Is Affected? Every WordPress site running version 6.9 or 7.0 is vulnerable. That's millions of sites worldwide. If you haven't updated to the latest patched version, your site is still at risk right now. ### The Technical Details (Simplified) The flaw involves how WordPress handles object caching. Under certain conditions, a persistent object cache can be tricked into accepting malicious data from an unauthenticated request. This data then gets deserialized, which is where the code execution happens. Here's what security researchers found: - The bug exists in the core caching mechanism - It requires no authentication to trigger - A working proof-of-concept is already public - Both CVE IDs have been assigned and published ### What Should You Do Right Now? First, don't panic. But do act quickly. Here's your checklist: - Update WordPress to the latest version immediately - Check if your hosting provider has applied the patch - Review your site's error logs for any suspicious activity - Consider temporarily disabling object caching if you can't update right away ### The Bottom Line This is one of those rare vulnerabilities that affects virtually every WordPress site. The fact that it's in core and doesn't require authentication makes it a prime target for automated attacks. If you haven't patched yet, stop reading and go update your site. Seriously. Right now. We'll keep this post updated as more information becomes available. Stay safe out there.