By Interestana AI Editorial — AI-drafted, human-overseen. How we report
WordPress Core Flaw Allows Unauthenticated Code Execution

A critical vulnerability in WordPress core, identified as CVE-2024-XXXX, enabled unauthenticated attackers to execute arbitrary code on affected websites. The flaw, discovered by Adam Kues of Assetnote, a division of Searchlight Cyber, could be exploited through a simple anonymous HTTP request, even on a bare WordPress installation without any plugins. This means that every WordPress site running versions 6.9 and 7.0 was vulnerable until the patches were deployed.
WordPress addressed the vulnerability by releasing security updates 6.9.5 and 7.0.2 on Friday, May 17, 2024. Crucially, the company also enabled its "forced updates" feature through its auto-update system. This measure ensures that all sites running vulnerable versions are automatically updated to the patched versions, mitigating the immediate risk posed by the exploit. The forced update mechanism is designed to rapidly deploy critical security fixes across the vast WordPress ecosystem.
Assetnote's research highlighted the severity of the bug, noting its presence in the core WordPress software. This contrasts with many vulnerabilities that are introduced through third-party plugins or themes. The exploit's simplicity, requiring only an anonymous HTTP request, made it a significant threat to website security. The disclosure and subsequent patching demonstrate the ongoing challenges in securing widely used web platforms against sophisticated attacks.
Original source — read the full reporting at the publisher:
Read on The Hacker NewsGet the weekly AI digest
AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.