Serious Vulnerability in WordPress Core Allows Anonymous Hackers to Achieve Remote Code Execution

Try Our Free Tools!
Master the web with Free Tools that work as hard as you do. From Text Analysis to Website Management, we empower your digital journey with expert guidance and free, powerful tools.

A newly revealed pre-authentication remote code execution (RCE) vulnerability in WordPress Core, known as “wp2shell,” necessitates no authentication, impacting standard WordPress installations devoid of any plugins.

This flaw is particularly concerning given that WordPress underpins an estimated 500 million websites around the globe.

This vulnerability marks one of the most critical security disclosures in content management systems (CMS) in recent times.

The root of the issue lies in a REST API batch-route ambiguity compounded by a SQL injection deficiency, which together facilitate complete RCE.

Critical WordPress Core Flaw

Identified and disclosed by researcher Adam Kues of Assetnote, this vulnerability has been allocated CVE-2026-63030 (GHSA-ff9f-jf42-662q). Another related SQL injection vulnerability reported by TF1T, dtro, and haongo has been assigned CVE-2026-60137 (GHSA-fpp7-x2x2-2mjf).

Due to its nature, stated exploitation procedures impose no prior requirements or valid credentials, effectively allowing any anonymous attacker to exploit a vulnerable site effortlessly.

Searchlight Cyber has deliberately withheld intricate exploitation methodologies to provide site administrators the opportunity to implement patches.

However, a public scanner is available at wp2shell.]com, enabling site operators to assess their exposure without necessitating extensive technical knowledge.

Affected Versions
  • WordPress ≤6.8.5: Not susceptible to the RCE chain (6.8.x only affected by CVE-2026-60137).
  • WordPress 6.9.0–6.9.4: Vulnerable to both flaws.
  • WordPress 7.0.0–7.0.1: Vulnerable to both flaws.
  • WordPress 7.1 beta releases: Vulnerable; rectified in 7.1 beta2.

Patches and Mitigation

The WordPress security team has responded with the release of version 7.0.2, addressing one critical issue and one high-severity vulnerability. Backported versions include 6.9.5 and 6.8.6.

In light of the RCE’s severity, WordPress has enacted forced auto-updates for all sites running affected versions, though administrators are urged to manually verify these updates.

Site owners can proceed with updates via the WordPress Dashboard under Updates → Update Now, or by downloading the release directly from WordPress.org.

For scenarios where immediate patching isn’t practical, Searchlight Cyber advocates temporary mitigations:

  • Install a plugin that entirely obstructs anonymous access to the REST API.
  • Block /wp-json/batch/v1 and ?rest_route=/batch/v1 at the firewall level.

These measures may disrupt legitimate functionality of the REST API and should be regarded as provisional stopgaps until comprehensive updates are executed.

When combined with WordPress’s extensive installed base, wp2shell presents a considerable risk for widespread automated exploitation as soon as technical details become accessible or are reverse-engineered from patch diffs.

Person wearing a WordPress t-shirt types on a keyboard at a desk with a computer monitor and a mug labeled WordPress OKULLU.

Security teams and site administrators are strongly urged to expedite updates, verify patch statuses utilizing the wp2shell[.]com tool, and closely monitor logs for suspicious REST API batch requests targeting /wp-json/batch/v1.

Source link: Gbhackers.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

Souvik Banerjee

I’m Souvik Banerjee from Kolkata, India. As a Marketing Manager at RS Web Solutions (RSWEBSOLS), I specialize in digital marketing, SEO, programming, web development, and eCommerce strategies. I also write tutorials and tech articles that help professionals better understand web technologies.
Share the Love
Related News Worth Reading