Unauthenticated WordPress core flaw forces urgent updates across 6.9/7.0 lines

1 min read
Source: The Hacker News
Unauthenticated WordPress core flaw forces urgent updates across 6.9/7.0 lines
Photo: The Hacker News
TL;DR Summary

An anonymous HTTP request can trigger remote code execution in WordPress core on affected 6.9.x and 7.0.x releases via the REST batch endpoint. WordPress patched 6.9.5 and 7.0.2 on July 17, 2026, after auto-updates began rolling out, but some sites may still be vulnerable if they didn’t receive the update. Mitigations before updating include blocking the batch endpoints at /wp-json/batch/v1 and rest_route=/batch/v1, disabling the REST API, or using a drop-in to filter anonymous batch requests. There is no CVE yet, and a tester at wp2shell.com lets site owners check exposure. The exact number of affected sites is unclear, though the vulnerable window covers recent WordPress releases only.

Share this article

Reading Insights

Total Reads

1

Unique Readers

2

Time Saved

3 min

vs 4 min read

Condensed

86%

780107 words

Want the full story? Read the original article

Read on The Hacker News