WordPress: New wp2shell RCE Vulnerability Hits Millions of WordPress Sites, Emergency Patch Released

WordPress: New wp2shell RCE Vulnerability Hits Millions of WordPress Sites, Emergency Patch Released

Critical "wp2shell" RCE Vulnerability in WordPress Core Exposes 500M+ Sites to Takeover

A severe pre-authentication remote code execution (RCE) flaw, dubbed wp2shell, has been discovered in WordPress Core, leaving over 500 million websites vulnerable to full compromise by unauthenticated attackers. Security researcher Adam Kues of Searchlight Cyber’s Assetnote team identified the bug, which stems from a REST API batch-route confusion issue leading to SQL injection and, ultimately, RCE.

The vulnerability is particularly dangerous because it requires no prior access, plugins, or special configurations only a reachable WordPress instance running an affected version. Exploiting it allows attackers to execute arbitrary code without authentication, making it a zero-click threat.

Affected Versions & Patches
The flaw impacts WordPress versions 6.9.0–6.9.4, 7.0.0–7.0.1, and 7.1 beta (pre-release). Two CVEs track the issue:

  • CVE-2026-60137 (SQL injection, also affecting WordPress 6.8.x before 6.8.6)
  • CVE-2026-63030 (batch-route RCE, reported by Kues)

WordPress has released 7.0.2, 6.9.5, and 6.8.6 to address both flaws, with auto-updates force-pushed to affected sites due to the severity. Manual updates are also available via the WordPress Dashboard or direct download.

Mitigation & Workarounds
While patching is strongly recommended, temporary measures include:

  • Blocking anonymous REST API access via plugin.
  • Restricting access to /wp-json/batch/v1 and ?rest_route=/batch/v1 endpoints at the WAF level.

The WordPress security team credited researchers TF1T, dtro, and haongo for the SQL injection discovery, alongside Kues for the RCE chain. Technical exploit details remain undisclosed to prevent immediate exploitation.

Source: https://cybersecuritynews.com/wp2shell-rce-vulnerability/

WordPress TPRM report: https://www.rankiteo.com/company/wordpress

"id": "wor1784348620",
"linkid": "wordpress",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': '500M+ websites',
                        'industry': 'Web Development/Technology',
                        'location': 'Global',
                        'name': 'WordPress',
                        'size': '500M+ websites',
                        'type': 'Content Management System (CMS)'}],
 'attack_vector': 'Unauthenticated REST API exploitation',
 'description': 'A severe pre-authentication remote code execution (RCE) flaw, '
                'dubbed *wp2shell*, has been discovered in WordPress Core, '
                'leaving over 500 million websites vulnerable to full '
                'compromise by unauthenticated attackers. The vulnerability '
                'stems from a REST API batch-route confusion issue leading to '
                'SQL injection and, ultimately, RCE. Exploiting it allows '
                'attackers to execute arbitrary code without authentication, '
                'making it a zero-click threat.',
 'impact': {'operational_impact': 'Full site takeover possible',
            'systems_affected': '500M+ WordPress sites'},
 'post_incident_analysis': {'corrective_actions': ['Patching vulnerable '
                                                   'WordPress versions',
                                                   'Enhancing REST API '
                                                   'security'],
                            'root_causes': 'REST API batch-route confusion '
                                           'leading to SQL injection and RCE'},
 'recommendations': ['Apply patches immediately (WordPress 7.0.2, 6.9.5, or '
                     '6.8.6)',
                     'Block anonymous REST API access via plugin',
                     'Restrict access to vulnerable endpoints at the WAF '
                     'level'],
 'references': [{'source': 'Searchlight Cyber’s Assetnote team (Adam Kues)'},
                {'source': 'WordPress Security Team'}],
 'response': {'containment_measures': ['Blocking anonymous REST API access via '
                                       'plugin',
                                       'Restricting access to '
                                       '`/wp-json/batch/v1` and '
                                       '`?rest_route=/batch/v1` endpoints at '
                                       'the WAF level'],
              'remediation_measures': ['Patching to WordPress versions 7.0.2, '
                                       '6.9.5, or 6.8.6',
                                       'Auto-updates force-pushed to affected '
                                       'sites']},
 'title': "Critical 'wp2shell' RCE Vulnerability in WordPress Core Exposes "
          '500M+ Sites to Takeover',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': ['CVE-2026-60137 (SQL injection)',
                             'CVE-2026-63030 (batch-route RCE)']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.