A newly revealed pre-authentication remote code execution (RCE) vulnerability in WordPress Core, known as “wp2shell,” necessitates no authentication, impacting standard WordPress installations devoid of any plugins.
This flaw is particularly concerning given that WordPress underpins an estimated 500 million websites around the globe.
This vulnerability marks one of the most critical security disclosures in content management systems (CMS) in recent times.
The root of the issue lies in a REST API batch-route ambiguity compounded by a SQL injection deficiency, which together facilitate complete RCE.
Critical WordPress Core Flaw
Identified and disclosed by researcher Adam Kues of Assetnote, this vulnerability has been allocated CVE-2026-63030 (GHSA-ff9f-jf42-662q). Another related SQL injection vulnerability reported by TF1T, dtro, and haongo has been assigned CVE-2026-60137 (GHSA-fpp7-x2x2-2mjf).
Due to its nature, stated exploitation procedures impose no prior requirements or valid credentials, effectively allowing any anonymous attacker to exploit a vulnerable site effortlessly.
Searchlight Cyber has deliberately withheld intricate exploitation methodologies to provide site administrators the opportunity to implement patches.
However, a public scanner is available at wp2shell.]com, enabling site operators to assess their exposure without necessitating extensive technical knowledge.
Affected Versions
- WordPress ≤6.8.5: Not susceptible to the RCE chain (6.8.x only affected by CVE-2026-60137).
- WordPress 6.9.0–6.9.4: Vulnerable to both flaws.
- WordPress 7.0.0–7.0.1: Vulnerable to both flaws.
- WordPress 7.1 beta releases: Vulnerable; rectified in 7.1 beta2.
Patches and Mitigation
The WordPress security team has responded with the release of version 7.0.2, addressing one critical issue and one high-severity vulnerability. Backported versions include 6.9.5 and 6.8.6.
In light of the RCE’s severity, WordPress has enacted forced auto-updates for all sites running affected versions, though administrators are urged to manually verify these updates.
Site owners can proceed with updates via the WordPress Dashboard under Updates → Update Now, or by downloading the release directly from WordPress.org.
For scenarios where immediate patching isn’t practical, Searchlight Cyber advocates temporary mitigations:
- Install a plugin that entirely obstructs anonymous access to the REST API.
- Block
/wp-json/batch/v1and?rest_route=/batch/v1at the firewall level.
These measures may disrupt legitimate functionality of the REST API and should be regarded as provisional stopgaps until comprehensive updates are executed.
When combined with WordPress’s extensive installed base, wp2shell presents a considerable risk for widespread automated exploitation as soon as technical details become accessible or are reverse-engineered from patch diffs.

Security teams and site administrators are strongly urged to expedite updates, verify patch statuses utilizing the wp2shell[.]com tool, and closely monitor logs for suspicious REST API batch requests targeting /wp-json/batch/v1.
Source link: Gbhackers.com.





