WordPress Core RCE Affects 6.9 and 7.0: Forced Auto-Updates Limit Exposure Window
An unauthenticated remote code execution flaw in WordPress core 6.9 and 7.0 allowed arbitrary code execution on unpatched installations. WordPress deployed forced auto-updates on Friday, rapidly patching affected versions to 6.9.5 and 7.0.2.
Affected
Adam Kues at Assetnote discovered an unauthenticated remote code execution vulnerability present in WordPress core versions 6.9 and 7.0. The flaw requires no authentication and no plugins: a bare WordPress installation is exploitable through anonymous HTTP requests. This represents a severe attack surface since core vulnerabilities affect all WordPress sites running affected versions, regardless of defensive posture or plugin hardening.
The technical scope is particularly concerning because the vulnerability resides in core code rather than optional extensions. Attackers can chain unauthenticated HTTP requests to achieve code execution, bypassing all conventional WordPress authentication and authorisation controls. The vulnerability was likely discovered through source code analysis or reverse engineering following responsible disclosure to WordPress security teams.
WordPress responded by shipping 6.9.5 and 7.0.2 patches and invoking forced auto-updates through its update system. This mechanism automatically deploys critical security patches even on sites where administrators have disabled routine auto-updates. The deployment appears to have substantially reduced the vulnerable population within a short timeframe, converting what could have been a widespread exploitation opportunity into a time-limited exposure window.
Organisations running WordPress 6.9 or 7.0 should verify they are running patched versions (6.9.5 or 7.0.2 respectively). Sites that disabled auto-updates may need manual intervention. Hosting providers and managed WordPress platforms likely received the patches automatically. The incident demonstrates both the severity risk that core vulnerabilities introduce and the value of forced update mechanisms during active threats, though this also raises ongoing debates about administrator autonomy versus security velocity.
This event sets a precedent: WordPress core vulnerabilities of this severity now trigger aggressive patching postures. Future discoveries in core code will likely face similar response protocols, fundamentally changing the risk calculus for attackers targeting WordPress infrastructure.
Sources