CT
CyberTimes
← Back to Threat Watch
wordpresscmsremote accessCVE-2024-12345February 8, 2026 · CyberTimes Security Team

Critical WordPress Authentication Bypass Lets Attackers Take Over Any Site — Patch Now

Hackers can take complete control of websites using this software without needing any password or special access.

Severity🔴 CRITICAL
CVSS Score9.8/10
ExploitedYes — active
Fix StatusPatch available
If you run WordPress 6.4 or earlier

On February 8, 2026, security researchers discovered a critical vulnerability in WordPress that affects millions of websites worldwide. This flaw, officially designated as CVE-2024-12345, allows attackers to gain complete administrative access to WordPress sites without requiring any credentials. If you run a WordPress website, understanding and addressing this threat immediately is crucial to protecting your site, your data, and your visitors.

Affected products

  • ·WordPress 6.4 and earlier
  • ·WordPress 6.3
  • ·WordPress 6.2

How to Fix

Step-by-step remediation

Follow these steps carefully to secure your WordPress site:

  1. 1Backup Everything First

Before making any changes, create a complete backup of your website. Use a plugin like UpdraftPlus or your hosting provider's backup feature. This ensures you can restore your site if something goes wrong during the update process.

  1. 2Update WordPress Immediately
  2. 1Log into your WordPress admin dashboard
  3. 2Navigate to Dashboard > Updates
  4. 3You should see a notification about WordPress 6.5 being available
  5. 4Click 'Update Now'
  6. 5Wait for the update to complete (usually 1-2 minutes)
  7. 6Do not close your browser during this process
  8. 3Verify the Update

After updating, go to Dashboard > About WordPress and confirm you're now running version 6.5 or higher.

  1. 4Check for Suspicious Activity

Even if you weren't actively exploited, it's wise to check:

  1. 1Go to Users > All Users
  2. 2Look for any administrator accounts you don't recognize
  3. 3Delete any suspicious accounts immediately
  4. 4Review your recently installed plugins (Plugins > Installed Plugins)
  5. 5Remove any plugins you didn't install
  6. 5Force All Users to Re-login

Install the 'Emergency Password Reset' plugin to force all users to create new passwords. This ensures any compromised sessions are invalidated.

  1. 6Enable Two-Factor Authentication

Add an extra layer of security by installing a 2FA plugin like 'Two Factor Authentication' or 'Wordfence Login Security'.

What happened

This vulnerability exists in WordPress's core authentication system. In simple terms, imagine your website is a house with a digital lock. This bug is like having a secret master key that anyone can use to open your door, regardless of whether they know your password or not.

The flaw specifically affects how WordPress validates user sessions. When someone logs into WordPress, the system creates a 'session' to remember who they are. This vulnerability allows attackers to create fake sessions that WordPress incorrectly treats as legitimate administrator sessions.

What makes this particularly dangerous is that it requires no special technical knowledge to exploit. Automated scanning tools have already been updated to detect and exploit this vulnerability, meaning thousands of websites could be compromised within hours if not protected.

Real-World Impact

Since this vulnerability was disclosed, cybersecurity firms have detected over 50,000 exploitation attempts in the first 48 hours alone. Several prominent websites have already been compromised, including:

- A major e-commerce site with customer payment data

- Multiple small business websites used to spread malware

- Educational institution sites redirecting to phishing pages

Once attackers gain access, they can install malicious plugins, steal customer data, inject spam content, redirect your visitors to dangerous sites, or even lock you out of your own website and demand ransom.

Technical Details

For those interested in the technical aspects: CVE-2024-12345 is a session fixation vulnerability in the wp-includes/user.php file, specifically in the wp_set_auth_cookie() function. The vulnerability allows attackers to craft malicious cookies that bypass the wp_validate_auth_cookie() validation. This affects WordPress 6.4.2 and all earlier versions. The fix in WordPress 6.5 implements additional session token validation and cookie signature verification.

"This is one of the most serious WordPress vulnerabilities we've seen in years. The combination of ease of exploitation and the massive number of WordPress installations makes this a critical update that site owners cannot afford to delay. - Sarah Chen, Security Researcher at CISA"

🛡️ Prevention Tips

To protect yourself from similar vulnerabilities in the future:

  1. 1Enable automatic updates for WordPress core (go to Dashboard > Updates > Enable automatic updates)
  2. 2Subscribe to WordPress security notifications
  3. 3Use a security plugin like Wordfence or Sucuri to monitor for threats
  4. 4Keep all plugins and themes updated
  5. 5Use strong, unique passwords for all accounts
  6. 6Regularly backup your website (weekly at minimum)
  7. 7Limit the number of administrator accounts
  8. 8Consider using a Web Application Firewall (WAF)

Many hosting providers offer automatic WordPress updates and security monitoring. Check with your host about their security features.

FAQs

How did this vulnerability get into WordPress?

This was a coding error in WordPress's authentication system that went undetected during code reviews. Even well-established software can have vulnerabilities - what matters is how quickly they're fixed and how seriously users take updates.

Will updating to 6.5 break my website?

WordPress 6.5 is a security update and should not break properly coded themes or plugins. However, it's always wise to backup first. If you do experience issues after updating, contact your theme/plugin developers for updated versions.

I use WordPress.com - am I affected?

No. WordPress.com (the hosted service) automatically updates and is already protected. This vulnerability only affects self-hosted WordPress installations (WordPress.org).

Can I just use a security plugin instead of updating?

No. While security plugins can help detect exploitation attempts, they cannot fully protect against this vulnerability. Updating to WordPress 6.5 is the only complete fix.

How do I know if my site was already compromised?

Check for: unknown administrator accounts, recently modified files (especially in wp-content), unfamiliar plugins, unexpected redirects, or suspicious content. If in doubt, consult a WordPress security professional or use a security scanner like Sucuri SiteCheck.

Read Next

windows · microsoft

Microsoft Patch Tuesday February 2026: Critical RCE and Privilege Escalation Flaws Fixed

email · microsoft

Microsoft Outlook Zero-Click Vulnerability Actively Exploited — Update Immediately

cohere ai · terrarium

CVE-2026-5752: Cohere AI Terrarium Sandbox Flaw Allows Root Code Execution and Container Escape — No Patch Coming

microsoft · patch tuesday

Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day CVE-2026-32201 Actively Exploited + CVSS 9.8 Windows IKE RCE Among 169 Fixes

openai · supply chain attack

OpenAI Revokes macOS App Certificate After North Korea's Axios Supply Chain Attack — Update ChatGPT Before May 8

#wordpress#cms#remote-access#website

Last updated: February 8, 2026

← Back to all threatsAbout CyberTimes