Ad
$index = intval( $_REQUEST['lyric_index'] ); if ( isset( $lyrics[$index] ) ) echo esc_html( $lyrics[$index] );
add_action('wp_ajax_nopriv_hello_dolly_lyric', 'hello_dolly_get_lyric'); The function hello_dolly_get_lyric() fetches a random lyric and echoes it — but in 1.7.2, it also unserializes a lyric_index parameter from the request without sanitization or nonce verification: hello dolly 1.7.2 exploit
// Replace the vulnerable line with: if ( ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'hello_dolly_lyric' ) || ! current_user_can( 'read' ) ) wp_die('Unauthorized'); $index = intval( $_REQUEST['lyric_index'] ); if ( isset(
Date: April 13, 2026 Researcher: [Your Name / Team] Affected Software: Hello Dolly Plugin for WordPress Version: 1.7.2 Severity: Critical (CVSS 9.8) 1. Overview Hello Dolly is a simple, widely-installed WordPress plugin that displays random lyrics from the song “Hello, Dolly!” in the admin dashboard. Version 1.7.2 — last updated in 2020 — contains a severe security flaw that allows unauthenticated remote code execution (RCE) via mishandling of a legacy AJAX hook. Overview Hello Dolly is a simple, widely-installed WordPress
WordPress core team should consider automatically disabling or deleting Hello Dolly in a future update due to its legacy nature and lack of maintainer. This review is for defensive security research only. No active exploitation should be attempted without authorization.
Check for exploitation in access logs:
The plugin is present on millions of sites (often inactive but still present in wp-content/plugins/hello-dolly/ ), making this a high-impact vulnerability. The vulnerability resides in hello-dolly.php , line 56:
Ad