Cybersecurity and Privacy

Critical WordPress Core Vulnerabilities CVE-2026-63030 and CVE-2026-60137 Expose Millions of Sites to Unauthenticated Remote Code Execution

The WordPress security landscape has been fundamentally altered following the disclosure of a critical vulnerability chain, collectively dubbed "wp2shell," which allows unauthenticated attackers to execute arbitrary code on affected servers. Discovered in the WordPress core, these flaws represent a significant threat to the global internet infrastructure, as the vulnerability resides within the foundational software rather than third-party plugins or themes. This ensures that even "bare-metal" installations—those running a default configuration with no additional software—are susceptible to complete takeover. The vulnerability chain impacts every site running WordPress versions 6.9 and 7.0, a demographic that encompasses hundreds of millions of websites globally.

The Technical Anatomy of wp2shell

The wp2shell exploit is the result of a sophisticated chain involving two distinct vulnerabilities: CVE-2026-63030 and CVE-2026-60137. Individually, these bugs represent significant security lapses, but when combined, they provide a direct path from an anonymous HTTP request to full system compromise.

CVE-2026-63030 is characterized as a REST API batch-route confusion vulnerability. The WordPress REST API, introduced as a core feature to facilitate modern web development, includes a batching endpoint (/wp-json/batch/v1) designed to process multiple requests within a single HTTP call. This feature is intended to reduce overhead and improve performance for complex administrative tasks. However, researchers discovered a logic error in how the system tracks sub-requests. When a sub-request within a batch fails or triggers a specific error condition, the internal arrays tracking the requests and their respective handlers fall out of synchronization. This "off-by-one" error allows an attacker to trick the server into processing a malicious request using the permissions or context of a different, potentially more privileged, handler.

CVE-2026-60137 is a classic SQL injection vulnerability located within the WP_Query class, specifically affecting the author__not_in parameter. This parameter is designed to exclude specific authors from a query and expects an array of numerical IDs. The vulnerability arises because the core code fails to strictly enforce this array requirement. If a string is passed to the parameter instead of an array, the sanitization logic is bypassed, allowing raw, attacker-controlled SQL commands to be injected directly into the database query.

The "chain" occurs when the batch-route confusion (CVE-2026-63030) is used to bypass the authentication checks that would normally protect the vulnerable WP_Query parameters. By nesting these requests, an anonymous user can force the application to process the SQL injection payload without ever logging in.

Discovery and Chronology of Disclosure

The discovery of the batch-route confusion is credited to Adam Kues, a security researcher at Assetnote, the attack surface management division of Searchlight Cyber. Kues identified the flaw through rigorous testing of the WordPress core REST API framework and reported the findings through WordPress’s official bug bounty program on HackerOne.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The timeline of the event highlights the rapid transition from discovery to public risk:

  • Late 2025 – Early 2026: Researchers identify individual flaws in the REST API and SQL handling.
  • July 10, 2026: WordPress security teams finalize patches for the identified vulnerabilities.
  • July 15, 2026: WordPress officially releases versions 6.9.5, 7.0.2, and 6.8.6. Simultaneously, the organization triggers its "forced update" system to push these security fixes to as many sites as possible.
  • July 16, 2026: Technical details of the wp2shell mechanism begin to circulate within the cybersecurity community.
  • July 17, 2026: A functional proof-of-concept (PoC) exploit is published on GitHub by independent researchers who analyzed the changes in the WordPress core source code.
  • July 18, 2026: CVE IDs are officially assigned and the full technical write-up is released, confirming that the vulnerability chain is now a public commodity for both defenders and attackers.

The disclosure was met with a degree of controversy, as Searchlight Cyber initially withheld full technical details to give administrators time to patch. However, the nature of open-source software meant that the patch itself served as a roadmap for exploit developers. Within 24 hours of the patch release, the mechanism was fully understood by the broader research community.

Impact Analysis and Affected Demographics

The scale of the potential impact is staggering. Current estimates suggest that over 43% of all websites on the internet are powered by WordPress. While the total install base is approximately 500 million sites, the specific "blast radius" for the wp2shell RCE chain is limited to sites running version 6.9 or higher.

WordPress 6.9 was released on December 2, 2025. Consequently, any site updated within the last eight months is likely within the vulnerable range. The SQL injection (CVE-2026-60137) has an even broader reach, extending back to version 6.8. While a version 6.8 site cannot be exploited for unauthenticated RCE using this specific chain, it remains vulnerable to data theft and database manipulation if an attacker can find another way to reach the vulnerable parameter.

A critical factor in the vulnerability’s exploitability is the server configuration. Research from Cloudflare indicates that the RCE path is primarily effective on sites that do not utilize a persistent object cache, such as Redis or Memcached. In a default WordPress installation, which lacks such a cache, the conditions for the exploit are met. While the presence of a persistent object cache may mitigate the code execution aspect of the chain, it does not remediate the underlying SQL injection, leaving the site’s data at risk.

Official Responses and Industry Reaction

The WordPress core team has taken the unprecedented step of utilizing its auto-update system to force patches onto sites, even those that may have certain update restrictions in place. This move underscores the severity of the threat. In an official security advisory, WordPress rated the RCE chain as "Critical."

However, a discrepancy has been noted in the official Common Vulnerability Scoring System (CVSS) records. The CVE record for the chain carries a score of 7.5 (High), rather than the 9.0+ (Critical) score often associated with unauthenticated RCE. This is due to the scoring methodology treating the route confusion as a parsing flaw and focusing the impact metrics on data access rather than full system integrity. Security experts warn that these scores may be misleading and urge organizations to prioritize patching based on the functional impact (RCE) rather than the numerical score alone.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

Third-party security providers have moved quickly to protect their clients. Cloudflare has deployed specialized Web Application Firewall (WAF) rules to intercept and block requests targeting the /wp-json/batch/v1 endpoint that exhibit signs of the wp2shell exploit. Similarly, vulnerability scanning vendors like Rapid7 have announced that authenticated and unauthenticated checks for the flaws will be integrated into their platforms, such as InsightVM and Nexpose, by July 20, 2026.

Broader Implications for the CMS Ecosystem

The wp2shell event serves as a stark reminder of the risks inherent in the monoculture of the modern web. Because WordPress powers such a vast portion of the internet, a single core vulnerability becomes an "industry" for cybercriminals. The mention of the "WP-SHELLSTORM" crew—a threat actor group that successfully compromised over 17,000 sites using a previous, less severe caching plugin flaw—illustrates the efficiency with which attackers can operationalize public exploits.

Unlike previous major vulnerabilities that required specific plugins or non-standard configurations, wp2shell targets the default state of the software. This shifts the burden of defense from the user to the platform maintainer and the hosting provider. It also highlights the "race to patch" that occurs every time a major open-source project releases a security update. Because the fix is public, the exploit is effectively public, creating a narrow window of time for millions of administrators to secure their systems.

Recommendations for Administrators

For website owners and IT administrators, the primary recommendation is to verify that their WordPress installation is running version 6.9.5, 7.0.2, or 6.8.6 (depending on their branch). While the forced update system is active, it is not infallible; sites with specific file permission settings or those managed through external version control systems may require manual intervention.

If an immediate update is not possible, the following mitigations are suggested as temporary stopgaps:

  1. Disable the Batch API: Administrators can use code snippets or security plugins to disable the /wp-json/batch/v1 route entirely. This will break any functionality that relies on REST API batching but will effectively close the entry point for the wp2shell chain.
  2. Implement Strict WAF Filtering: Deploying a WAF that can inspect JSON payloads within REST API requests is essential for identifying the "nested" request structure used in this exploit.
  3. Monitor Query Logs: Security teams should monitor database logs for unusual activity involving the author__not_in parameter, specifically looking for string values where numerical IDs are expected.

The wp2shell vulnerability will likely be remembered as one of the most significant security events of 2026. As the update continues to roll out, the cybersecurity community remains on high alert, watching for the first signs of mass exploitation in the wild. The speed at which the global WordPress install base can transition to patched versions will ultimately determine the long-term damage caused by this discovery.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Device Kick
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.