Cybersecurity

Critical Security Flaw in WordPress Core Leaves Millions of Websites Vulnerable to Remote Code Execution

The global cybersecurity landscape faced a significant tremor this week as a critical vulnerability in the WordPress core was disclosed, potentially exposing millions of websites to complete takeover via an anonymous HTTP request. The flaw, which resides in the fundamental architecture of the world’s most popular content management system (CMS), allows for unauthenticated Remote Code Execution (RCE), meaning an attacker requires no credentials, special privileges, or specific plugin configurations to compromise a target server. Dubbed "wp2shell" by the researchers who discovered it, the vulnerability affects WordPress versions 6.9 and 7.0, marking one of the most significant threats to the platform’s core security in recent years.

The Discovery of wp2shell

The vulnerability was identified by Adam Kues, a lead researcher at Assetnote, the attack surface management division of Searchlight Cyber. Kues discovered the flaw through rigorous testing of the WordPress REST API and reported the findings through the official WordPress bug bounty program hosted on HackerOne. Unlike many vulnerabilities that rely on the interaction between third-party plugins or specific theme configurations, wp2shell is located within the WordPress core files. This means that a "bare" installation—a fresh site with zero plugins and default settings—is fully exploitable.

In a technical advisory published shortly after the patch release, Assetnote characterized the attack as having "no preconditions," a terrifying prospect for system administrators. The ease of exploitation, combined with the ubiquity of WordPress, which powers over 43% of the internet, creates a massive attack surface for malicious actors. While the researchers have opted to withhold the full technical details of the exploit payload to allow time for the global community to patch, they have released a diagnostic tool at wp2shell.com, enabling site owners to verify if their instances remain vulnerable.

Technical Breakdown: REST API and Route Confusion

The core of the issue lies in the WordPress REST API, specifically within the batch-route processing system. WordPress introduced the REST API batch framework in version 5.6 in November 2020, allowing developers to send multiple API requests in a single HTTP call to improve performance and reduce latency. However, the implementation in versions 6.9 and 7.0 introduced a logic error described by WordPress officials as a "REST API batch-route confusion and SQL injection issue."

According to the version 7.0.2 documentation, the fix involved modifying three critical files: /wp-includes/rest-api/class-wp-rest-server.php, /wp-includes/class-wp-query.php, and /wp-includes/rest-api.php. Security analysts suggest that the "route confusion" likely stems from how the server parses nested or batched requests, potentially allowing an attacker to bypass authentication checks by confusing the server about which endpoint is being accessed. When combined with a secondary SQL injection flaw, this confusion provides a pathway for the attacker to execute arbitrary code on the underlying server, effectively granting them "shell" access.

Chronology of the Vulnerability and Response

The timeline of the wp2shell vulnerability highlights the rapid pace at which the WordPress security team must operate to protect its massive user base.

  • December 2, 2025: WordPress 6.9 is released. The flawed code is introduced into the core architecture during this update cycle.
  • Early 2026: Adam Kues of Assetnote identifies the flaw during an audit of REST API batching logic.
  • July 2026: The vulnerability is reported via HackerOne. WordPress developers begin working on a silent patch to prevent premature disclosure.
  • July 17, 2026: WordPress officially releases versions 6.9.5 and 7.0.2. These updates contain the critical fixes for the RCE and a secondary SQL injection bug.
  • July 17, 2026 (Afternoon): WordPress triggers its "forced update" system, attempting to push the security patch to all eligible sites automatically.
  • July 18, 2026: Searchlight Cyber publishes the wp2shell advisory, and the security community begins analyzing the patch to understand the underlying mechanics.

The release of version 7.1 beta2 also included the fix, ensuring that developers working on the cutting edge of the platform were protected before the next major version rollout.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The Scale of the Threat: Supporting Data and Statistics

The scale of the potential impact is staggering. Searchlight Cyber’s research center estimates that over 500 million websites currently run on WordPress. While not all of these sites are running the affected versions (6.9 and 7.0), the adoption rate for newer versions of WordPress is traditionally high due to the platform’s aggressive update notifications.

Since version 6.9 only shipped in late 2025, every vulnerable site is running a release that is less than eight months old. This suggests that the affected population consists of active, modern websites—those most likely to be high-value targets for data theft, ransomware, or botnet recruitment. In comparison, older vulnerabilities often linger on "zombie" sites that are no longer maintained; wp2shell, however, targets the most current and active segment of the web.

The risk of mass exploitation is not theoretical. Historically, WordPress core vulnerabilities have been exploited within hours of a patch being analyzed. For instance, the "WP-SHELLSTORM" campaign earlier this year successfully compromised over 17,000 sites by exploiting a known flaw in a popular caching plugin. A core vulnerability like wp2shell, which requires no specific plugin to be present, could easily dwarf those numbers if site owners do not move quickly.

Official Responses and the "Forced Update" Controversy

The WordPress core team has been relatively tight-lipped about the specifics of the RCE, likely to prevent the creation of "one-click" exploit kits. In their official release post for version 7.0.2, the team categorized the update as a "security and maintenance release" and urged immediate action.

A point of contention within the community has been the use of "forced updates." While WordPress has the capability to push critical security patches to sites automatically, many enterprise-level administrators disable this feature to prevent unexpected site breakage. WordPress has not explicitly confirmed whether the forced push will override settings on sites where auto-updates are disabled. This ambiguity has led security experts to advise administrators to manually verify their version numbers rather than assuming the patch has been applied.

"Check what you are actually running rather than assume it landed," warned a representative from Searchlight Cyber. "In an enterprise environment, a ‘forced update’ is a double-edged sword. It saves the unprepared but can disrupt carefully managed CI/CD pipelines."

Broader Impact and Industry Implications

The wp2shell disclosure has broader implications for the cybersecurity industry, particularly regarding how vulnerabilities are tracked and cataloged. As of July 18, 2026, no CVE (Common Vulnerabilities and Exposures) ID has been assigned to the flaw, and no CVSS score has been finalized.

The absence of a CVE ID creates a significant blind spot for automated security scanners and enterprise inventory management tools. Organizations that rely on CVE-keyed databases to flag vulnerabilities will not see wp2shell in their reports until the ID is formally issued. Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) cannot add the vulnerability to its "Known Exploited Vulnerabilities" (KEV) catalog without a CVE, potentially delaying federal and institutional responses to the threat.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

This "CVE lag" highlights a growing tension between the speed of open-source development and the bureaucratic pace of vulnerability cataloging. For now, the security community must rely on version-string matching—a more manual and error-prone process—to identify at-risk systems.

Analysis: The Open-Source Security Dilemma

The wp2shell incident underscores the inherent dilemma of open-source software. Because the WordPress source code is public, the act of releasing a patch is simultaneously an act of revealing the vulnerability’s location. By comparing the code in version 7.0.1 to the fixed code in 7.0.2, malicious actors can "reverse-engineer" the fix to create a working exploit.

This "race against the clock" is the primary reason why firms like Assetnote and Searchlight Cyber often withhold technical write-ups for several days or weeks following a patch. However, as noted by industry analysts, the "clock" is set by the attackers, not the defenders. In previous instances, such as the Drupal core SQL injection in May 2026, researchers were able to produce a working proof-of-concept (PoC) within hours of the patch release.

The WordPress ecosystem is particularly vulnerable to this dynamic because of its sheer size. The "industry" of WordPress exploitation is highly automated, with botnets constantly scanning the web for specific version strings. For these attackers, a core RCE is the "holy grail"—a single exploit that works against nearly half the internet.

Mitigation Strategies for Administrators

For those unable to update to 6.9.5 or 7.0.2 immediately due to compatibility concerns or testing requirements, the security community has proposed several stopgap measures. These mitigations are intended to reduce the attack surface until a proper patch can be deployed:

  1. Restrict Access to the REST API: Organizations can use security plugins or custom code snippets to disable the REST API for unauthenticated users. Since the wp2shell exploit is "pre-auth," requiring authentication to access the API endpoints can effectively block the attack vector.
  2. Filter Batch Requests: Using a Web Application Firewall (WAF) to inspect and block requests to the /wp-json/batch/v1 endpoint can prevent the "route confusion" from being triggered. Many major WAF providers, such as Cloudflare and Sucuri, are expected to deploy virtual patches for their customers.
  3. Monitor Traffic for Anomalies: Security teams should look for unusual patterns in HTTP traffic, particularly large volumes of POST requests to the REST API endpoints from anonymous IP addresses.

While these measures provide temporary relief, they are not a substitute for a core update. Disabling the REST API or batching functionality can break legitimate site features, such as the Block Editor (Gutenberg) or third-party integrations, and should only be used as an emergency measure.

Conclusion: A Wake-Up Call for Web Security

As the digital world waits to see the first reports of active exploitation, the wp2shell vulnerability serves as a stark reminder of the fragility of the modern web’s infrastructure. WordPress is no longer just a blogging platform; it is the backbone of global commerce, news, and government communication. A flaw in its core is a flaw in the foundation of the internet itself.

The coming days will be a test of the WordPress auto-update system and the vigilance of the global community of system administrators. Whether wp2shell becomes a footnote in security history or the catalyst for a wave of global cyberattacks depends entirely on how quickly the patch can outpace the exploit. For now, the directive to all WordPress users is clear: update immediately, verify your version, and remain vigilant as the technical details of this critical flaw inevitably come to light.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Jar Digital
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.