This WordPress Core Flaw Lets Hackers Run Code Without a Password

ยท
Listen to this article~4 min
This WordPress Core Flaw Lets Hackers Run Code Without a Password

A critical WordPress core flaw in versions 6.9 and 7.0 allows unauthenticated attackers to run code via HTTP request. Update immediately to protect your site.

Updated July 18, 2026: the two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it. An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until now. ### What Makes This Different? You might be used to hearing about plugin vulnerabilities. Those are bad, sure, but they at least give you a fighting chance. You can disable the plugin, wait for a fix, and move on. This is different. This is WordPress itself. No matter how careful you are with your plugin choices, if you're running version 6.9 or 7.0, you're exposed. And here's the scary part: the attack comes from an unauthenticated request. That means someone doesn't need a username, a password, or any kind of access to your site. They just send a specially crafted HTTP request, and boom, they're running code on your server. ### The Technical Breakdown The vulnerability lives in WordPress's core code. It's not a configuration issue or a setting you forgot to toggle. It's a fundamental flaw in how the system handles certain types of requests. The proof-of-concept is already public, which means attackers are actively reverse-engineering it to build their own exploits. The persistent-object-cache condition adds another layer of complexity. If you use caching plugins or server-level caching, the exploit might behave differently, but that doesn't make you safe. It just makes the attack vector slightly different. ### What You Need to Do Right Now - Update immediately. The fix is out, and every minute you wait increases your risk. - Check your version: if you're on 6.9 or 7.0, you're vulnerable. - Don't assume a plugin will save you. This is core, and no security plugin can patch a core flaw. - Monitor your logs for unusual HTTP requests, especially those that don't come with authentication. ### Why This Matters for Your Business A compromised WordPress site can mean stolen customer data, defaced pages, or worse, malware that spreads to your visitors. If you run an e-commerce site, a blog, or a corporate portal, this isn't just a technical issue. It's a business continuity problem. Think about the cost: downtime, reputation damage, potential legal liability if customer data is involved. The fix is simple, but the consequences of ignoring it are severe. ### The Bigger Picture This isn't the first core vulnerability, and it won't be the last. The WordPress ecosystem is massive, and maintaining security across millions of sites is a constant challenge. But this one is particularly dangerous because of how easy it is to exploit and how little access is required. The takeaway is simple: stay updated. It's the single most effective thing you can do to protect your site. Set up automatic updates if you haven't already, and check your version regularly. Your site's security depends on it.