Cybersecurity

Critical wp2shell Vulnerability in WordPress Core Allows Unauthenticated Remote Code Execution Across Millions of Websites

The global cybersecurity community is currently responding to the discovery of a high-stakes vulnerability chain within the WordPress core, collectively referred to as wp2shell, which permits unauthenticated remote code execution (RCE) on affected installations. This critical security flaw is particularly alarming because it resides within the core software itself, meaning that even a default, "bare" installation of WordPress with no third-party plugins or themes is susceptible to exploitation. As of July 18, 2026, the vulnerability has been assigned two distinct Common Vulnerabilities and Exposures (CVE) identifiers, and a functional proof-of-concept (PoC) has been made available to the public, heightening the urgency for site administrators to ensure their systems are fully patched.

The wp2shell exploit is the result of chaining two separate vulnerabilities: CVE-2026-63030, a REST API batch-route logic confusion error, and CVE-2026-60137, a SQL injection flaw in the WordPress core query architecture. When combined, these flaws allow an anonymous attacker to bypass authentication protocols and execute arbitrary code on the underlying server. The vulnerability primarily impacts WordPress versions 6.9 and 7.0, with the RCE chain being fully operational on any site running these versions that does not utilize a persistent object cache.

Technical Breakdown of the wp2shell Chain

The effectiveness of the wp2shell attack lies in its ability to navigate through the WordPress internal request handling system without requiring any user credentials. The first link in the chain, CVE-2026-63030, involves the /wp-json/batch/v1 route. This endpoint is designed to allow developers to perform multiple REST API requests in a single HTTP call to improve efficiency. However, a flaw in how WordPress tracks sub-requests within this batch framework leads to a synchronization error. If a specific sub-request triggers an error, the internal arrays used to manage these requests fall out of alignment. This "off-by-one" error causes a subsequent request to be processed by an incorrect handler, effectively allowing a request to "hop" from a restricted context into a more privileged one.

The second link, CVE-2026-60137, is a SQL injection vulnerability located within the WP_Query class, specifically involving the author__not_in parameter. Under normal circumstances, WordPress expects an array of integers for this parameter and performs validation accordingly. However, researchers discovered that by passing a string instead of an array, the validation check is bypassed, and the raw input is concatenated directly into the SQL query. While a SQL injection in a core component is dangerous on its own, it usually requires some level of administrative access to reach the vulnerable code path. The batch-route confusion (CVE-2026-63030) provides the necessary bridge, allowing an unauthenticated attacker to inject malicious data into the WP_Query execution path.

Chronology of Discovery and Disclosure

The timeline of the wp2shell disclosure highlights the rapid pace of modern vulnerability research and the subsequent race to secure the web’s most popular Content Management System (CMS).

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
  • Initial Discovery: Adam Kues, a researcher at Assetnote (the attack surface management division of Searchlight Cyber), identified the REST API batch-route confusion.
  • Reporting: The vulnerability was reported to the WordPress security team via their official bug bounty program on the HackerOne platform. Simultaneously, other researchers, including TF1T, dtro, and haongo, independently identified the SQL injection flaw in the core query logic.
  • Patch Development: WordPress developers worked privately to address the flaws, recognizing the potential for widespread exploitation given the ubiquity of the 6.9 and 7.0 release branches.
  • Public Disclosure and Patch Release: On Friday, July 12, 2026, WordPress released versions 6.9.5 and 7.0.2. These updates were pushed via the platform’s "forced update" mechanism to as many sites as possible.
  • Publication of Mechanisms: By July 15, technical details began to circulate in the security community. While Searchlight Cyber initially withheld a full technical write-up to give administrators time to patch, other independent researchers analyzed the public patches to reconstruct the exploit.
  • PoC Availability: On July 17, 2026, a working proof-of-concept exploit was published on GitHub, making the vulnerability actionable for both security auditors and potential threat actors.
  • CVE Assignment: By July 18, the vulnerabilities were officially indexed in the CVE database, and security scanners began integrating checks for the flaws.

Supporting Data and Affected Demographics

The scale of the threat is tied directly to the massive market share held by WordPress. Industry estimates from Searchlight Cyber suggest that over 500 million websites currently utilize the WordPress platform. However, the specific "blast radius" for wp2shell is more nuanced. The RCE chain specifically targets versions 6.9 and above. Version 6.9 was released on December 2, 2025, meaning that only sites updated within the last eight months are at risk of the full RCE attack.

While older versions, such as 6.8, are not susceptible to the batch-route confusion that enables unauthenticated access, they are still vulnerable to the underlying SQL injection (CVE-2026-60137). Consequently, WordPress released version 6.8.6 to patch the injection flaw for those on older release cycles.

An important mitigating factor discovered by Cloudflare researchers is the role of persistent object caching. The code execution path relies on specific memory states that are disrupted when a site uses an external caching layer like Redis or Memcached. Sites utilizing these technologies as a persistent object cache may be protected from the RCE component of the chain, though they remain vulnerable to the SQL injection. However, since the default WordPress installation does not include a persistent object cache, the vast majority of standard installs remain fully exposed until patched.

Official Responses and Security Ratings

The reaction from WordPress and the broader security industry has been swift, though not without some discrepancy in how the risk is quantified. WordPress has categorized the RCE chain as "Critical" in its internal advisories. Conversely, the official CVE record initially assigned a score of 7.5 (High), citing impact metrics that focused on data access rather than full system compromise. The SQL injection component, however, has received scores as high as 9.1, reflecting its direct impact on database integrity.

To combat the threat, WordPress utilized its auto-update system to force patches onto millions of sites. This "forced push" is a controversial but effective tool reserved for vulnerabilities of the highest severity. It remains unclear, however, if this update reached sites where the owner had manually disabled the auto-update feature.

Major security providers have also stepped in. Cloudflare implemented Web Application Firewall (WAF) rules shortly after the disclosure to block attempts to exploit the /wp-json/batch/v1 endpoint. Similarly, vulnerability management firms like Rapid7 announced that authenticated checks for their scanning products would be live by July 20, 2026.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

Broader Impact and Implications for the Ecosystem

The emergence of wp2shell underscores a growing trend in the cybersecurity landscape: the industrialization of CMS exploitation. Groups like the "WP-SHELLSTORM" crew have demonstrated that even minor or patched vulnerabilities can be leveraged to compromise tens of thousands of sites in a matter of days. In June 2026, a leak from a hacker-controlled server revealed that a single caching-plugin flaw had been used to breach over 17,000 sites. The wp2shell vulnerability is significantly more dangerous because it does not require a specific plugin and targets the default configuration of the core software.

The disclosure of wp2shell also highlights the "double-edged sword" of open-source security. When a patch is released for an open-source project like WordPress, the code changes are visible to everyone. For sophisticated attackers, the patch serves as a roadmap to the vulnerability. This creates a "race condition" where the time between the patch release and the development of an exploit is often less than 24 hours. In the case of wp2shell, the release of the fix on Friday led to a public exploit by the following Wednesday.

Recommended Mitigations for Administrators

For website administrators who are unable to update to versions 6.9.5 or 7.0.2 immediately, several temporary mitigations have been proposed. The primary goal is to prevent anonymous access to the REST API batch endpoint.

  1. Restrict the Batch Endpoint: Administrators can use server-level configurations (such as .htaccess in Apache or nginx.conf) to block all requests to /wp-json/batch/v1 from external IP addresses.
  2. Implement a WAF: Utilizing a Web Application Firewall that has updated signatures for CVE-2026-63030 can provide a layer of protection while the core software is being updated.
  3. Disable REST API for Anonymous Users: While this may break some site functionality, plugins or code snippets that require authentication for all REST API access can effectively neutralize the batch-route confusion.
  4. Enable Persistent Object Caching: While not a substitute for a patch, implementing Redis or Memcached can break the specific chain required for code execution, though it does not fix the underlying SQL injection.

Ultimately, these measures are stopgaps. The only definitive solution is the application of the official security updates provided by the WordPress core team. As the exploit is now public, the volume of scanning traffic targeting these specific vulnerabilities is expected to increase exponentially over the coming days. The speed at which the global WordPress install base adopts the latest patches will determine the ultimate impact of the wp2shell vulnerability on the integrity of the web.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Jar Digital
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.