
Unauthenticated WordPress core flaw forces urgent updates across 6.9/7.0 lines
An anonymous HTTP request can trigger remote code execution in WordPress core on affected 6.9.x and 7.0.x releases via the REST batch endpoint. WordPress patched 6.9.5 and 7.0.2 on July 17, 2026, after auto-updates began rolling out, but some sites may still be vulnerable if they didn’t receive the update. Mitigations before updating include blocking the batch endpoints at /wp-json/batch/v1 and rest_route=/batch/v1, disabling the REST API, or using a drop-in to filter anonymous batch requests. There is no CVE yet, and a tester at wp2shell.com lets site owners check exposure. The exact number of affected sites is unclear, though the vulnerable window covers recent WordPress releases only.










