The Hacker News is reporting a new WordPress core vulnerability, nicknamed "wp2shell," that allows unauthenticated attackers to execute arbitrary code. The name itself tells you the punchline: an attacker with no credentials and no prior access can turn a normal WordPress install into a shell — full remote code execution on the box. This is the nightmare scenario for the CMS that still runs a huge share of the visible internet: a core flaw, not a plugin or theme issue, meaning every unpatched install sharing that core code is exposed regardless of which builder, page editor, or ecommerce stack sits on top of it. Unauthenticated RCE bugs in widely-deployed CMS platforms have a predictable lifecycle — public disclosure triggers mass automated scanning within days, and the sites that get hit first are almost never the high-profile targets; they're the small business sites nobody's watching, running old core versions because