Severe Vulnerability in WordPress wp2shell Allows Unauthenticated Users to Run Remote Code

Try Our Free Tools!
Master the web with Free Tools that work as hard as you do. From Text Analysis to Website Management, we empower your digital journey with expert guidance and free, powerful tools.

A severe pre-authentication remote code execution (RCE) vulnerability, designated as “wp2shell,” has been identified within WordPress Core.

This alarming flaw requires no conditions for exploitation and can be leveraged by anonymous attackers against standard installations of WordPress, even those with no active plugins.

This vulnerability places a substantial proportion of the approximately 500 million WordPress-powered websites at grave risk.

Critical WordPress wp2shell Flaw

The vulnerability, unearthed by Adam Kues from Assetnote, arises from a REST API batch-route confusion that facilitates SQL injection, ultimately leading to unrestricted remote code execution.

In light of the exploit’s gravity and pre-authentication nature, Searchlight Cyber has refrained from disclosing technical details, granting site owners a window to implement necessary patches before any proof-of-concept information emerges.

To assist administrators in evaluating their exposure, the research team has deployed a public scanning tool at wp2shell[.]com, allowing website owners to ascertain if their installation is vulnerable.

Affected Versions

  • WordPress ≤6.8.5: not affected
  • WordPress 6.9.0–6.9.4: affected
  • WordPress 7.0.0–7.0.1: affected
  • WordPress 7.1 beta (pre-release): affected

Two CVE identifiers have been assigned to monitor the issue. CVE-2026-60137 (GHSA-fpp7-x2x2-2mjf) pertains to the facilitated SQL injection issue present in the WP_Query component.

Meanwhile, CVE-2026-63030 (GHSA-ff9f-jf42-662q), bearing a CVSS score of 7.5 despite its critical nature, addresses the REST API batch-route confusion chain culminating in RCE.

Patch Availability

WordPress has acted promptly by releasing version 7.0.2, a security update that rectifies both critical and high-severity issues. Backport fixes are additionally accessible:

  • WordPress 6.9.5 — patches both vulnerabilities
  • WordPress 6.8.6 — addresses the SQL injection issue only (6.8.x is not impacted by the RCE chain)
  • WordPress 7.1 beta2 — resolves both issues ahead of the 7.1 stable release

Due to the exploit’s critical severity, the WordPress team has initiated forced automatic updates for sites operating with affected versions, overriding normal protocols for major release auto-updates.

Mitigation

Close-up of the WordPress app download page on a tablet, showing its logo, rating, and a blue cloud icon.

Site administrators are strongly advised to update without delay, utilizing the WordPress Dashboard (“Updates” > “Update Now”) or by manually downloading version 7.0.2 from WordPress.org.

For environments unable to immediately patch, Searchlight Cyber advocates for emergency interim measures: Install a plugin that entirely blocks anonymous access to the REST API and restrict access to /wp-json/batch/v1 and ?rest_route=/batch/v1 at the WAF level.

While these workarounds may interfere with legitimate REST API functionality, they should be regarded strictly as temporary solutions until the formal patch is applied.

Source link: Cyberpress.org.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

Souvik Banerjee

I’m Souvik Banerjee from Kolkata, India. As a Marketing Manager at RS Web Solutions (RSWEBSOLS), I specialize in digital marketing, SEO, programming, web development, and eCommerce strategies. I also write tutorials and tech articles that help professionals better understand web technologies.
Share the Love
Related News Worth Reading