New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
Overview
A serious vulnerability has been discovered in the WordPress core that allows unauthenticated attackers to execute code on affected sites. This flaw impacts any WordPress installation running versions 6.9 and 7.0, even those without any plugins installed. The issue was identified by Adam Kues from Assetnote, and WordPress has since addressed it with updates 6.9.5 and 7.0.2, which were released on Friday. These updates include a feature called forced updates to help secure sites against this vulnerability. It's crucial for WordPress users to ensure they are running the latest version to protect their sites from potential exploitation.
Key Takeaways
- Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
- Affected Systems: WordPress versions 6.9 and 7.0
- Action Required: Update to WordPress version 6.
- Timeline: Disclosed on [date of report]
Original Article Summary
An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system. Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, found the flaw and reported
Impact
WordPress versions 6.9 and 7.0
Exploitation Status
This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.
Timeline
Disclosed on [date of report]
Remediation
Update to WordPress version 6.9.5 or 7.0.2 to mitigate the vulnerability.
Additional Information
This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.
Related Topics: This incident relates to Vulnerability, Update.