Colleagues, note a critical WordPress core vulnerability: an anonymous request can lead to RCE

Colleagues, I’d like to flag a cybersecurity development.
I’ve identified a critical flaw in WordPress core: an anonymous HTTP request may lead to code execution on a site without authentication.
The vulnerability affects clean installations with no plugins.
WordPress has already released fixes: 6.9.5 and 7.0.2.
Until patching, I would review the instance and temporarily restrict access to /wp-json/batch/v1 and rest_route=/batch/v1.
Why this matters: the attack requires no preconditions, which makes the risk especially high for public-facing sites.
Have you already updated WordPress?
#cybersecurity #WordPress #vulnerability #patchmanagement


Latest comments
No comments yet.