This WordPress Core Flaw Lets Hackers Run Code on Any Site Instantly

ยท
Listen to this article~5 min
This WordPress Core Flaw Lets Hackers Run Code on Any Site Instantly

A critical WordPress core vulnerability allows unauthenticated attackers to execute code on any site running versions 6.9 or 7.0. Learn how to protect your site now.

Updated July 18, 2026: the two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it. ### The Basics: What's Happening Here? So here's the deal. An anonymous HTTP request can run code on a WordPress site. That's not a typo. The bug lives in core, which means a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until the patch dropped. This is a big deal because it doesn't require any special access. No login, no admin privileges, nothing. Just a well-crafted request and boom, an attacker can execute arbitrary code on your server. ### Why This Vulnerability Is Different Most WordPress vulnerabilities come from plugins or themes. You know the drill: someone installs a sketchy plugin, it has a bug, and you get a security notice. But this one is different. It's in the core software itself. Think of it like finding a crack in the foundation of your house, not just a loose window latch. Every site running version 6.9 or 7.0 was vulnerable until the fix was released. That's millions of sites worldwide. ### The Technical Breakdown The flaw exploits how WordPress handles certain HTTP requests. When a request comes in with specific parameters, the system can be tricked into running code that it shouldn't. The researchers who found it have been transparent about the mechanism, which is good for understanding but also means attackers have a clear playbook. Here's what we know: - The vulnerability is in the core WordPress codebase - It requires no authentication to exploit - A working proof-of-concept is now public - There's a persistent-object-cache condition that makes the attack more reliable ### What This Means for You If you're running a WordPress site, this is the kind of vulnerability that keeps security professionals up at night. The fact that it's in core means there's no workaround other than updating. You can't just disable a plugin and call it a day. Your best defense is simple: update your WordPress installation immediately. If you're on version 6.9 or 7.0, you need to apply the latest security patch. Don't wait. This is not a theoretical risk. There's a working exploit in the wild. ### The Timeline of Events Let's walk through how this unfolded. The initial discovery was made by security researchers who noticed unusual behavior in WordPress core. They reported it responsibly, and the WordPress team worked on a fix. But as often happens, details leaked before the patch was widely deployed. Now we have CVE IDs assigned, the full mechanism published, and a proof-of-concept code circulating. This is the point where the risk becomes real for every site that hasn't updated. ### Protecting Your Site Here's what you need to do right now: 1. Check your WordPress version. If it's 6.9 or 7.0, update immediately 2. Verify that your hosting provider has applied any necessary server-level patches 3. Review your site's security logs for any suspicious activity 4. Consider using a web application firewall as an additional layer of protection ### The Bigger Picture This vulnerability highlights something important about the WordPress ecosystem. With over 40 percent of the web running WordPress, a core vulnerability is a systemic risk. It's not just about individual sites. It's about the entire infrastructure of the internet. The good news is that the WordPress team responded quickly once the vulnerability was disclosed. The bad news is that many site owners still haven't updated. If you're one of them, this is your wake-up call. ### Final Thoughts Security isn't a one-time thing. It's an ongoing process. This vulnerability will pass, but there will be others. The key is to stay informed and act quickly when patches are released. Don't be the person who reads about a critical vulnerability and then does nothing. Update your site. Check your logs. And maybe think about whether you have the right security measures in place for the long term.