This WordPress Core Flaw Lets Attackers Run Code Without a Password

ยท
Listen to this article~4 min
This WordPress Core Flaw Lets Attackers Run Code Without a Password

A critical WordPress core flaw allows unauthenticated attackers to execute code via a simple HTTP request. Every site running version 6.9 or 7.0 is vulnerable. Update immediately to protect your data.

Updated July 18, 2026: the two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it. An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until the patch was released. ### What Makes This Flaw So Dangerous You might think a WordPress site is safe if you avoid sketchy plugins. But this vulnerability lives in the core software itself. That means even the most minimal installation is at risk. Think of it like a lock on your front door that can be picked by anyone who knows the trick. No special tools needed, just a simple HTTP request. The flaw has been given two CVE IDs, and security researchers have published the full details. A proof-of-concept exploit is now public, which means attackers have a clear blueprint to follow. If you haven't updated yet, your site could be compromised at any moment. ### Who Is Affected and What You Should Do - **WordPress 6.9** and **7.0** are the only versions affected. - Every site running these versions is vulnerable, regardless of plugins or themes. - The fix is included in the latest security update. Update immediately. If you use a managed hosting provider, they may have already applied the patch. But don't rely on that assumption. Check your WordPress admin dashboard for update notifications and apply them manually if needed. ### A Word on Persistent Object Cache One interesting detail that surfaced is the role of persistent object cache. In some configurations, this caching layer can mask the flaw or change how it behaves. That doesn't make you safe, but it can make detection harder. If you're using a caching plugin like Redis or Memcached, verify that your cache is cleared after updating. ### Why This Matters for Antidetect Browser Users If you're in the antidetect browser space, you understand the importance of keeping your digital footprint clean. A compromised WordPress site can leak session data, cookies, and browser fingerprints. That's the last thing you want when you're managing multiple profiles or anonymous browsing sessions. Consider this: an attacker who gains code execution on your WordPress site can install a backdoor, steal database contents, or redirect traffic. For anyone relying on antidetect tools to maintain privacy, a breached site is a direct threat to your operational security. ### The Bottom Line This isn't a theoretical risk. It's a live exploit with a public proof-of-concept. The window for action is closing fast. Update your WordPress installation now, verify your object cache, and review your site's security logs for any suspicious activity. Stay safe out there. Your digital privacy depends on it.