Apparently (?) there's a Pre-Auth RCE (!) in core WordPress (?!), but there are extremely few details as yet.
If it's as gnarly as it sounds, a lot of sites are going to have a very bad time. We'll keep this story updated as details emerge.
https://discourse.ifin.network/t/wp2shell-pre-auth-rce-in-wordpress-no-cve/672