New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

Vira Manti

Published Jul 18, 2026, 2:00 AM UTC

Source: SecuritySource
- New wp2shell flaw lets unauthenticated code execution on bare WordPress installs. Zero plugins needed. Every 6.9/7.0 site was vulnerable until Friday’s forced updates. Adam Kues at Assetnote found it. Vendor claims seriousness again. We're threadbare. Stop kidding yourself that security theater protects you. Check the seals. If you run WP, update now. No excuses. Delivery signature applied.