Hello Dolly 1.7.2 Exploit May 2026

The plugin is present on millions of sites (often inactive but still present in wp-content/plugins/hello-dolly/ ), making this a high-impact vulnerability. The vulnerability resides in hello-dolly.php , line 56:

WordPress core team should consider automatically disabling or deleting Hello Dolly in a future update due to its legacy nature and lack of maintainer. This review is for defensive security research only. No active exploitation should be attempted without authorization. hello dolly 1.7.2 exploit

$index = intval( $_REQUEST['lyric_index'] ); if ( isset( $lyrics[$index] ) ) echo esc_html( $lyrics[$index] ); The plugin is present on millions of sites

Date: April 13, 2026 Researcher: [Your Name / Team] Affected Software: Hello Dolly Plugin for WordPress Version: 1.7.2 Severity: Critical (CVSS 9.8) 1. Overview Hello Dolly is a simple, widely-installed WordPress plugin that displays random lyrics from the song “Hello, Dolly!” in the admin dashboard. Version 1.7.2 — last updated in 2020 — contains a severe security flaw that allows unauthenticated remote code execution (RCE) via mishandling of a legacy AJAX hook. Version 1