A severe pre-authentication remote code execution (RCE) vulnerability, designated as “wp2shell,” has been identified within WordPress Core.
This alarming flaw requires no conditions for exploitation and can be leveraged by anonymous attackers against standard installations of WordPress, even those with no active plugins.
This vulnerability places a substantial proportion of the approximately 500 million WordPress-powered websites at grave risk.
Critical WordPress wp2shell Flaw
The vulnerability, unearthed by Adam Kues from Assetnote, arises from a REST API batch-route confusion that facilitates SQL injection, ultimately leading to unrestricted remote code execution.
In light of the exploit’s gravity and pre-authentication nature, Searchlight Cyber has refrained from disclosing technical details, granting site owners a window to implement necessary patches before any proof-of-concept information emerges.
To assist administrators in evaluating their exposure, the research team has deployed a public scanning tool at wp2shell[.]com, allowing website owners to ascertain if their installation is vulnerable.
Affected Versions
- WordPress ≤6.8.5: not affected
- WordPress 6.9.0–6.9.4: affected
- WordPress 7.0.0–7.0.1: affected
- WordPress 7.1 beta (pre-release): affected
Two CVE identifiers have been assigned to monitor the issue. CVE-2026-60137 (GHSA-fpp7-x2x2-2mjf) pertains to the facilitated SQL injection issue present in the WP_Query component.
Meanwhile, CVE-2026-63030 (GHSA-ff9f-jf42-662q), bearing a CVSS score of 7.5 despite its critical nature, addresses the REST API batch-route confusion chain culminating in RCE.
Patch Availability
WordPress has acted promptly by releasing version 7.0.2, a security update that rectifies both critical and high-severity issues. Backport fixes are additionally accessible:
- WordPress 6.9.5 — patches both vulnerabilities
- WordPress 6.8.6 — addresses the SQL injection issue only (6.8.x is not impacted by the RCE chain)
- WordPress 7.1 beta2 — resolves both issues ahead of the 7.1 stable release
Due to the exploit’s critical severity, the WordPress team has initiated forced automatic updates for sites operating with affected versions, overriding normal protocols for major release auto-updates.
Mitigation

Site administrators are strongly advised to update without delay, utilizing the WordPress Dashboard (“Updates” > “Update Now”) or by manually downloading version 7.0.2 from WordPress.org.
For environments unable to immediately patch, Searchlight Cyber advocates for emergency interim measures: Install a plugin that entirely blocks anonymous access to the REST API and restrict access to /wp-json/batch/v1 and ?rest_route=/batch/v1 at the WAF level.
While these workarounds may interfere with legitimate REST API functionality, they should be regarded strictly as temporary solutions until the formal patch is applied.
Source link: Cyberpress.org.





