An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system. Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, found the flaw and reported
UPVOTERS
Community appreciation
See who found this content valuable and showed their support.
No upvotes yet.
Be the first to show your appreciation for this content.
TOPICS
Explore the same topics
Discover more content from the topics this post is mapped to.
Keep browsing
Explore more from this topic
Dive into the full feed of curated posts covering Cybersecurity & Data Protection.
Discussion
Get the discussion rolling
A single comment can start something great.