New wp2shell Vulnerability in WordPress Core Allows Unauthenticated Users to Execute Code

Try Our Free Tools!
Master the web with Free Tools that work as hard as you do. From Text Analysis to Website Management, we empower your digital journey with expert guidance and free, powerful tools.

WordPress Vulnerability Update: New Flaws Exposed

Updated July 18, 2026: Recent developments reveal that two critical vulnerabilities now possess CVE identifiers, the full exploit mechanism has been detailed, a persistent-object-cache condition has emerged, and a functional proof-of-concept is accessible. The narrative below encapsulates these findings.

A vulnerability exists within WordPress that allows an anonymous HTTP request to execute code. This flaw is embedded in the core system, rendering even a pristine installation devoid of plugins susceptible to exploitation.

Until last Friday, all versions from 6.9 to 7.0 were at risk; however, an update to versions 6.9.5 and 7.0.2 has implemented what WordPress designates as forced updates via its auto-updating feature.

wp2shell comprises two distinct vulnerabilities, both now assigned CVE IDs. The first, CVE-2026-63030, pertains to confusion within the REST API batch route; the second, CVE-2026-60137, is an SQL injection found within WordPress’s core architecture.

When combined, these vulnerabilities allow an anonymous request to escalate to code execution.

Since the recent patch release, comprehensive details regarding the exploit mechanism have been made public, accompanied by a functional proof-of-concept on GitHub.

Adam Kues from Assetnote, a division of Searchlight Cyber focused on attack surface management, discovered the batch-route flaw and duly reported it through WordPress’s HackerOne program.

The associated report, published under the banner of wp2shell, asserts that the exploit bears “no preconditions and can be leveraged by an anonymous user.” The SQL injection was reported independently by researchers TF1T, dtro, and haongo.

Searchlight continues to withhold its technical analysis, directing website owners to a verification tool at wp2shell.com. This hesitation, however, is less pertinent now as the patch has been publicized and is subject to scrutiny by other researchers.

The two vulnerabilities do not affect the same versions of WordPress, which is crucial for understanding the exposure level.

The SQL injection vulnerability is present in versions dating back to 6.8. The batch-route confusion, which allows for unauthenticated remote code execution (RCE), only manifests in versions beginning with 6.9.

The affected ranges are delineated as follows:

  • 6.8.0 to 6.8.5: Vulnerable to SQL injection only, resolved in 6.8.6
  • 6.9.0 to 6.9.4: Full RCE chain, repaired in 6.9.5
  • 7.0.0 to 7.0.1: Full RCE chain, remedied in 7.0.2

Version 7.1 beta2 contains both remedial updates. A site running version 6.8 is not susceptible to RCE through this particular vulnerability chain, thereby justifying the focused patch for the SQL injection in version 6.8.6.

WordPress has yet to clarify if the forced update applies to installations where auto-updates have been disabled. It is advisable for users to confirm their current version rather than making assumptions regarding patch installation.

Searchlight’s analysis posits that over 500 million websites operate on WordPress. This figure reflects the overall install base, not the subset that is currently exposed; the RCE vulnerability chain exists solely from version 6.9, which was released on December 2, 2025.

Hence, any site vulnerable to the code-execution route must be utilizing a version less than eight months old, although the advisory does not specify the exact number of affected sites.

The vulnerabilities hinge on subtle oversights. The SQL injection stems from the author__not_in parameter within WP_Query: by inputting a string instead of an array, the validation process that expects an array is circumvented, allowing a raw input to infiltrate the query.

Accessing that parameter without authentication is feasible via the batch endpoint. The /wp-json/batch/v1 route facilitates multiple sub-requests in a single invocation, tracking them in parallel arrays; an error in one sub-request disrupts the alignment, leading to misrouting that allows malicious input to penetrate the vulnerable query languidly.

This batch endpoint has existed since version 5.6 in 2020, while the exploitation method was introduced in version 6.9.

The scoring for these vulnerabilities warrants careful examination. WordPress’s advisory categorizes the RCE chain as Critical, yet the CVE record assesses it at 7.5, merely High, with impact metrics solely accounting for data access and neglecting the potential integrity or availability compromises inherent to code execution. The SQL injection exhibits a score exceeding 9.1, marking it as Critical.

Despite the widespread characterization of the vulnerability as a critical RCE, it is, according to its own cataloging, the lesser of the two issues, given that the scoring system prioritizes the injection’s direct impact on the database over the route confusion, which is treated merely as a parsing obscurity. It is essential to monitor both CVE identifiers rather than relying on the labels assigned to them.

A single mitigating factor limits the scope of potential damage. The pathway to code execution is only viable in the absence of a persistent object cache, as outlined by Cloudflare, which has also released WAF rules in conjunction with this disclosure. A standard installation lacks this cache, thus maintaining the default exposure risks.

Sites utilizing Redis or Memcached as a persistent object cache may be insulated from this particular exploit, yet this is a side-effect rather than a definitive solution, and it fails to address the SQL injection vulnerability.

With the assignment of CVE IDs, scanning tools can finally detect these vulnerabilities: Rapid7 is set to implement authenticated checks for InsightVM and Nexpose by July 20.

The weaknesses are not listed on CISA’s KEV catalog, which requires confirmed exploitation reports, of which none had surfaced as of July 18. However, this false comfort should not be understated.

The rampant exploitation of WordPress has become a veritable industry. Prior to the leak of its server in June, a single caching-plugin vulnerability granted the WP-SHELLSTORM group access to over 17,000 sites, a figure derived from their own assessment, utilizing a flaw that was already public, patched, and only applicable under specific non-default configurations. This latest vulnerability is publicly known, patched, and exploits default settings.

Interim Measures if Immediate Update is Impossible

Searchlight offers several mitigations aimed at restricting anonymous access to the batch endpoint. All solutions are to serve as temporary measures until an update can be executed, and may disrupt legitimate functionalities:

  • Implement WAF rules to block both /wp-json/batch/v1 and rest_route=/batch/v1. All of these must be disallowed, as a rule that only addresses the /wp-json path would leave the query-string route open. Cloudflare has indicated that its managed WAF currently blocks the exploit for protected sites.
  • Disabling the WP REST API will entirely eliminate unauthenticated REST access.
  • Create a lightweight drop-in plugin from Searchlight that rejects anonymous requests at rest_pre_dispatch directed towards /batch/v1.

As WordPress core remains open source, the release inherently details the files undergoing modification. This transparency was always anticipated.

Despite their reservations, Searchlight’s analysis was promptly read by other researchers, leading to the publication of the exploit’s mechanism on GitHub, aptly showcasing the rapid pace of vulnerability disclosures.

It is impossible to distribute a fix without simultaneously disseminating the roadmap to the flaw. The key factor remains the speed at which the patch can propagate to installations before the exploit is fully understood, a task that WordPress has executed with alacrity as of Friday.

white and blue printer paper

Now that the exploit details have been publicly shared, the update process is ongoing. Monitoring WordPress’s version statistics will reveal how many installations have adopted the patch.

Conversely, tracking traffic against batch/v1 will inform how many nefarious actors are probing for vulnerabilities. The steeper of these two curves will determine how this incident is ultimately memorialized.

Source link: Thehackernews.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

Souvik Banerjee

I’m Souvik Banerjee from Kolkata, India. As a Marketing Manager at RS Web Solutions (RSWEBSOLS), I specialize in digital marketing, SEO, programming, web development, and eCommerce strategies. I also write tutorials and tech articles that help professionals better understand web technologies.
Share the Love
Related News Worth Reading