<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>REST API on HackingPassion.com : root@HackingPassion.com-[~]</title><link>https://hackingpassion.com/tags/rest-api/</link><description>Recent content in REST API on HackingPassion.com : root@HackingPassion.com-[~]</description><generator>Hugo</generator><language>en</language><lastBuildDate>Sat, 18 Jul 2026 12:59:44 +0200</lastBuildDate><atom:link href="https://hackingpassion.com/tags/rest-api/index.xml" rel="self" type="application/rss+xml"/><item><title>WordPress Let One Request Read Your Database for 227 Days</title><link>https://hackingpassion.com/wordpress-wp2shell-rce/</link><pubDate>Sat, 18 Jul 2026 12:59:44 +0200</pubDate><guid>https://hackingpassion.com/wordpress-wp2shell-rce/</guid><description>&lt;p>A hole in WordPress handed your database to someone who never logged in. For 227 days it took one request. It needed no password and no plugin, just an address that has been part of WordPress since December 2020. 🧐&lt;/p>
&lt;p>&lt;strong>The patch is the problem.&lt;/strong>&lt;/p>
&lt;p>WordPress is open source, so the repair had to be published. It went up on Friday afternoon: three commits, three files, timestamped 16:27 UTC. Put the old version next to the new one and you can read what was broken.&lt;/p></description></item></channel></rss>