New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites

A content management software (CMS) flaw exists that can lead to remote code execution attacks in WordPress versions that have not been updated to 5.1.1.  The exploit allows the attacker to take complete control over a compromised WordPress website remotely by injecting a payload via XSS that modifies the template to include a PHP backdoor.  Everything happens in one swift step and without alerting an administrator.  WordPress 5.1.1 fixes the issue, so any users that have not updated are highly encouraged to do so immediately.

Relevant URL(s):