A remote code execution vulnerability in WordPress core allows unauthenticated attackers to execute arbitrary code on vulnerable sites through anonymous HTTP requests. The flaw affects WordPress versions 6.9 and 7.0, including bare installations with no plugins deployed, making even stripped-down WordPress instances exploitable.

Assetnote researcher Adam Kues discovered the vulnerability and reported it to WordPress developers. The Wordpress Foundation responded with emergency patches released Friday, delivering versions 6.9.5 and 7.0.2. The update mechanism included forced auto-updates through WordPress's auto-update system, accelerating patch deployment across installations.

The vulnerability's location in WordPress core creates broader exposure than plugin-specific flaws. Core vulnerabilities affect all WordPress versions running the affected code, regardless of plugin count or configuration. Attackers require no authentication, credentials, or user interaction to exploit the flaw, making it trivially accessible to threat actors scanning the web for vulnerable sites.

WordPress sites running 6.9 and 7.0 faced active risk between the vulnerability's discovery and patch availability. Organizations and site operators who had not applied updates by Friday remained exposed to code execution attacks. Attackers could potentially install backdoors, steal data, inject malware, or modify site content without detection.

The forced auto-update deployment represents WordPress's standard critical patch response. However, sites with auto-updates disabled or those managed by hosting providers with delayed update cycles faced extended risk windows. Web hosts controlling update schedules determine actual remediation timelines for their customers.

WordPress users should verify their installed version immediately. Sites running 6.9.x require upgrade to 6.9.5 or later. Sites on 7.0.x require 7.0.2 or later. Administrators managing WordPress installations should check update status in the dashboard. Hosting providers and managed WordPress services should confirm patch deployment