BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

WordPress core hit by zero-click RCE bug, patch now live

WordPress patches pre-auth RCE flaw discovered by Adam Kues in versions 6.9.5 and 7.0.2.

  • WordPress patched a pre-authentication remote code execution flaw in versions 6.9.5 and 7.0.2 on July 17, 2026.
  • The bug, found by Adam Kues of Searchlight Cyber’s Assetnote, allows an anonymous HTTP request to run code on a default install with zero plugins.
  • No CVE ID or CVSS score has been assigned yet, and no exploitation attempts have been reported as of July 18.
  • Mitigations include blocking the /wp-json/batch/v1 endpoint at a WAF or disabling the REST API entirely.

An anonymous HTTP request can remotely execute code on any WordPress site running versions 6.9.0 through 6.9.4 or 7.0.0 through 7.0.1, even on a bare install with no plugins. Adam Kues at Assetnote, the attack surface management arm of Searchlight Cyber, discovered the flaw and reported it through WordPress’s HackerOne program. The firm’s writeup, published under the name wp2shell, states the attack has “no preconditions and can be exploited by an anonymous user.”

- Advertisement -

WordPress shipped 6.9.5 and 7.0.2 on July 17, 2026, and enabled forced updates through its auto-update system. However, the company has not said whether the forced push reaches sites that turned auto-updates off. The release post describes the finding as “a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution.” The batch endpoint has existed since WordPress 5.6 in November 2020, and nothing published so far explains what changed in version 6.9 to open it.

Neither advisory carries a CVE ID or a CVSS score, and no CVE record had appeared by July 18. Consequently, CISA cannot add the flaw to its KEV catalog until a CVE is assigned. Searchlight’s post estimates that over 500 million websites run WordPress, though only those on releases from 6.9 onward (shipped December 2, 2025) are affected. For administrators unable to update immediately, Searchlight Cyber recommends blocking both /wp-json/batch/v1 and rest_route=/batch/v1 at a WAF, or disabling the REST API altogether. No exploitation attempts have been reported as of July 18, but with no public signature to match, visibility remains limited.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

ECB: Stablecoin growth puts European bank deposits at risk

ECB board member Piero Cipollone warned Friday that stablecoin growth could strip European banks...

Tesla Launches Megacharger Network with Bloomington Station

Tesla opened a new public Megacharger station in Bloomington, California, calling it the start...

Apple Overtakes Nvidia as World’s Most Valuable Public Company

Apple briefly surpassed NVIDIA as the world’s most valuable publicly traded company, hitting an...

Galaxy Digital buys naming rights to Texas Tech stadium in 15-year deal

Galaxy Digital signed a 15-year naming rights deal with Texas Tech, renaming the football...

ViteVenom: 7 Malicious npm Packages Target Vite Ecosystem

Researchers at Checkmarx uncovered the ViteVenom campaign, a software supply chain attack using seven...

Must Read

TOP 12 Day Trading Crypto Books For Beginners

Day trading cryptocurrencies has become an increasingly popular financial activity, offering the potential for huge returns to those who understand the market's complexities and...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading