VYPR
patchPublished Jul 18, 2026· 1 source

WordPress Core 'wp2shell' RCE Flaws See Public Exploits, Urgent Patching Advised

Critical 'wp2shell' vulnerabilities in WordPress Core, CVE-2026-63030 and CVE-2026-60137, are now exploitable via public proof-of-concept code, prompting urgent calls for updates.

Critical remote code execution (RCE) vulnerabilities, collectively dubbed "wp2shell," have been discovered in WordPress Core, and public exploits are now readily available, significantly escalating the risk for website administrators. The "wp2shell" attack chain involves two distinct flaws, CVE-2026-63030 and CVE-2026-60137, which can be chained together by an unauthenticated attacker to achieve pre-authentication RCE on WordPress installations running versions 6.9.x and 7.0.x.

The vulnerabilities were identified by Searchlight Cyber's security research team. They noted that the attack has no preconditions and can be exploited against a default WordPress installation without any additional plugins. Given that WordPress powers an estimated 500 million websites globally, the potential impact of these flaws is immense, especially with the release of public proof-of-concept exploits.

In response to the severity of the vulnerabilities, the WordPress security team has activated forced automatic security updates for supported installations running the affected versions. Site owners are strongly urged to update to WordPress 7.0.2 or 6.9.5 immediately. The WordPress.org team stated, "Because this is a security release, it is recommended that you update your sites immediately." They further emphasized the forced update mechanism for affected sites.

The "wp2shell" attack is not a single vulnerability but a combination of two independent flaws. The first, CVE-2026-63030, is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. This flaw, when combined with a SQL injection issue, can lead to remote code execution. The second vulnerability, CVE-2026-60137, is a high-severity SQL injection flaw within the 'author__not_in' parameter of 'WP_Query', affecting WordPress 6.8 and later versions.

The complete RCE chain affects WordPress versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. While the SQL injection vulnerability alone impacts WordPress 6.8.0 through 6.8.5, it cannot be chained for RCE without the REST API batch-route confusion bug, which was introduced in WordPress 6.9. The fixes are available in WordPress 6.9.5 and 7.0.2.

Searchlight Cyber has initially withheld full technical details to allow administrators time to patch, instead launching wp2shell.com to help site owners test their vulnerability. For those unable to update immediately, temporary mitigations include installing a plugin to block anonymous REST API access or using a Web Application Firewall (WAF) to block specific API endpoints. Cloudflare has already deployed WAF protections for both vulnerabilities across its platform.

Despite Searchlight Cyber's efforts to delay full disclosure, multiple public proof-of-concept exploits have surfaced on GitHub. Some exploits demonstrate extracting password hashes via SQL injection to gain administrative access, while others claim to achieve pre-authentication RCE directly. Security firm watchTowr has reported observing in-the-wild exploitation following the release of these public exploits, highlighting the immediate threat.

Given the availability of public exploits and confirmed in-the-wild activity, it is critical for all WordPress administrators to update their sites to the patched versions, 7.0.2 or 6.9.5, as soon as possible to prevent potential compromise.

Synthesized by Vypr AI