Cybersecurity and Privacy

Critical Vulnerabilities in WordPress Core Identified as wp2shell Expose Millions of Websites to Unauthenticated Remote Code Execution

The global cybersecurity landscape is currently facing a significant threat following the disclosure of a sophisticated exploit chain within the WordPress core, collectively identified as wp2shell. This vulnerability, which allows for unauthenticated remote code execution (RCE), represents one of the most critical security crises for the content management system (CMS) in recent years. Unlike many previous vulnerabilities that relied on third-party plugins or specific themes, wp2shell resides directly within the WordPress core files, meaning that even a "vanilla" installation with no active plugins is susceptible to attack. The flaw primarily affects WordPress versions 6.9 and 7.0, with the security community estimating that hundreds of millions of websites could be within the potential blast radius.

The vulnerability is not a single point of failure but rather a "chain" of two distinct security flaws that, when combined, allow an anonymous attacker to execute arbitrary code on a target server. These flaws have been officially designated as CVE-2026-63030 and CVE-2026-60137. The former involves a logic error in the REST API’s batch-route processing, while the latter is a traditional but highly impactful SQL injection vulnerability within the WP_Query class. By leveraging the batch-route confusion to bypass authentication checks, an attacker can deliver a malicious payload to the SQL injection point, eventually gaining the ability to run code on the underlying operating system.

The Technical Anatomy of the wp2shell Chain

To understand the severity of wp2shell, one must examine the two components of the exploit. The first link in the chain, CVE-2026-63030, targets the WordPress REST API batch framework. Introduced in version 5.6, this framework allows developers to send multiple API requests in a single HTTP call to the /wp-json/batch/v1 endpoint. This is designed to improve performance by reducing the number of round-trips between the client and the server. However, researchers discovered a "confusion" bug in how the system tracks these sub-requests. If one sub-request within a batch results in a specific type of error, the internal array pointers for the remaining requests can become desynchronized. This allows a subsequent request in the same batch to be processed under the security context or handler of a different, potentially more privileged, endpoint.

The second link, CVE-2026-60137, is a SQL injection vulnerability located in the author__not_in parameter of the WP_Query class. Under normal circumstances, WordPress expects an array of integers for this parameter and performs sanitization to ensure no malicious characters are included. However, the researchers found that if a string is passed to this parameter instead of an array, the internal validation checks are bypassed, and the raw string is concatenated directly into the SQL query. While WP_Query is generally protected by authentication requirements in most standard use cases, the batch-route confusion allows an anonymous user to reach this vulnerable code path.

Chronology of Discovery and Disclosure

the timeline of wp2shell began in late 2025 and early 2026, culminating in the emergency security releases issued this July. The batch-route confusion bug was first identified by Adam Kues, a researcher at Assetnote, the attack surface management division of Searchlight Cyber. Kues reported the finding through the WordPress bug bounty program on HackerOne. Simultaneously, the SQL injection vulnerability was reported by a group of independent researchers, including TF1T, dtro, and haongo, who identified the flaw in the WP_Query handling of author exclusions.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The WordPress security team worked in coordination with these researchers to develop patches while maintaining strict confidentiality to prevent premature exploitation. On Friday, July 17, 2026, WordPress released versions 6.9.5 and 7.0.2. These releases were unique because they triggered the "forced update" mechanism. While WordPress typically allows site administrators to opt-out of major version updates, the security team deemed this threat "critical" enough to push the patch even to many sites that had disabled automatic updates, though the efficacy of this push on hardened or restricted environments remains a subject of investigation.

By July 18, 2026, the situation escalated as the full technical mechanism of the exploit was published online. Shortly thereafter, a functional proof-of-concept (PoC) was uploaded to GitHub by third-party researchers who had reverse-engineered the official patches. This transition from a "known bug" to a "public exploit" significantly increased the risk for any site that had not yet successfully updated.

Impact Analysis and Global Reach

The scale of the WordPress ecosystem makes any core vulnerability a matter of global concern. Recent data from Searchlight Cyber suggests that over 500 million websites utilize WordPress as their primary CMS, accounting for approximately 43% of the internet. While not all 500 million sites are running the vulnerable versions (6.9 and 7.0), the adoption rate for version 6.9, which launched in December 2025, has been exceptionally high.

A critical nuance in the impact of wp2shell is the environmental requirement for full code execution. Research from Cloudflare indicates that the RCE path is primarily viable on sites that do not utilize a persistent object cache, such as Redis or Memcached. In a default WordPress installation, data is retrieved directly from the database and processed in a way that allows the SQL injection to facilitate code execution. However, when a persistent object cache is present, the way WordPress handles query results changes, often breaking the specific chain required to achieve shell access. Despite this, Cloudflare warned that sites with object caching are still vulnerable to the underlying SQL injection, which can be used to steal sensitive data, such as user credentials, PII, and configuration secrets.

Discrepancies in Severity Scoring

An interesting point of debate within the cybersecurity community has been the Common Vulnerability Scoring System (CVSS) ratings assigned to the two flaws. The WordPress official advisory labels the combined RCE chain as "Critical." However, the individual CVE records tell a more complex story.

CVE-2026-63030 (the batch-route confusion) received a CVSS score of 7.5 (High). This lower-than-expected score is attributed to the fact that, on its own, the bug is classified as a parsing and logic flaw with limited direct impact on data integrity or availability. In contrast, CVE-2026-60137 (the SQL injection) has been assigned scores exceeding 9.1 (Critical) because it allows direct, unauthenticated access to the database. Security analysts argue that focusing solely on the "RCE" label may lead administrators to underestimate the SQL injection’s danger. Even if code execution is blocked by a server’s configuration, the ability for an attacker to dump the entire database remains a catastrophic risk.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

Industry Reactions and Defensive Measures

In response to the disclosure, major security vendors have moved rapidly to protect their clients. Cloudflare was among the first to deploy Web Application Firewall (WAF) rules specifically designed to detect and block the malicious "nested" batch requests that trigger the confusion bug. Similarly, Rapid7 announced that its InsightVM and Nexpose scanning tools would receive updated checks to identify vulnerable WordPress versions by July 20.

Despite these efforts, the threat of mass exploitation looms large. The "WP-SHELLSTORM" incident of June 2026 serves as a grim precedent. In that case, a vulnerability in a popular caching plugin was exploited to compromise over 17,000 websites within weeks of the patch being released. Given that wp2shell is a core vulnerability and affects a much larger target set, security experts fear the number of compromises could be significantly higher if the update cycle is slow.

The Cybersecurity and Infrastructure Security Agency (CISA) has not yet added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog as of July 18, as there have been no confirmed reports of the exploit being used in the wild. However, CISA typically updates the catalog only after active exploitation is verified, and the presence of a public PoC suggests that "in the wild" attacks are imminent.

Mitigation Strategies for Administrators

For website owners and administrators, the primary and most effective defense is to update WordPress to version 6.9.5, 7.0.2, or 7.1 beta 2 immediately. For those unable to update due to legacy dependencies or complex environments, several temporary mitigations have been proposed:

  1. Disabling the Batch API: Administrators can disable the REST API batch endpoint entirely by adding specific filters to their functions.php file or using a security plugin. This breaks the first link in the exploit chain.
  2. Implementing WAF Rules: Utilizing a cloud-based or server-side WAF to filter traffic to /wp-json/batch/v1 can provide a layer of protection against known exploit patterns.
  3. Enabling Persistent Object Caching: While not a fix for the SQL injection, implementing Redis or Memcached can mitigate the risk of full remote code execution.
  4. Database Hardening: Ensuring that the WordPress database user has the "least privilege" necessary can limit the damage an attacker can do via SQL injection.

Conclusion: A Race Against Time

The wp2shell disclosure highlights the inherent risks of maintaining a massive, centralized codebase that powers a near-majority of the web. The "forced update" initiated by WordPress represents a bold attempt to get ahead of the threat, but the success of this strategy depends on the diversity of the WordPress ecosystem. As attackers begin to automate the public PoC, the window for manual remediation is closing. The coming weeks will determine whether the coordinated response between researchers and the WordPress core team was enough to prevent a massive wave of global site compromises. For now, the message to the millions of site administrators worldwide is clear: verify your version, check your logs, and apply the patch without delay.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Device Kick
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.