New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The global cybersecurity landscape is currently facing one of its most significant challenges in recent years following the discovery of a critical vulnerability chain within the WordPress core software. Known colloquially as "wp2shell," this security flaw allows an anonymous, unauthenticated attacker to execute arbitrary code on a targeted WordPress installation. Because the vulnerability resides within the core codebase of the Content Management System (CMS), even a "bare-metal" installation with no third-party plugins or themes is susceptible to exploitation. The vulnerability primarily affects sites running WordPress versions 6.9 and 7.0, representing a massive portion of the modern web. In response to the escalating threat, the WordPress security team has taken the extraordinary step of deploying forced updates—versions 6.9.5 and 7.0.2—leveraging the platform’s built-in auto-update mechanism to patch the flaw before mass exploitation can take hold.
The Anatomy of wp2shell: A Dual-Vulnerability Chain
The "wp2shell" exploit is not a single bug but rather a sophisticated chain of two distinct vulnerabilities, each identified with its own Common Vulnerabilities and Exposures (CVE) ID. The first component is CVE-2026-63030, a REST API batch-route confusion flaw. The second is CVE-2026-60137, a critical SQL injection vulnerability found deep within the WordPress core logic. When combined, these flaws provide a direct pathway for an external actor to bypass authentication and gain full control over the underlying server environment.
CVE-2026-63030 functions as the entry point. The WordPress REST API includes a batch processing feature, introduced in version 5.6, which allows developers to combine multiple API requests into a single HTTP call for better performance. However, researchers discovered a logic error in how these sub-requests are tracked and processed. If an error occurs in one part of the batch, the internal tracking arrays can fall out of synchronization. This "off-by-one" error causes a subsequent request to be executed under the handler of a different request, effectively allowing an attacker to bypass the "allow-list" of permitted endpoints for unauthenticated users.
Once the attacker has bypassed these initial gatekeepers, they utilize CVE-2026-60137. This SQL injection flaw is located within the WP_Query class, specifically involving the author__not_in parameter. The vulnerability arises from a lack of strict type validation. While the system expects an array of author IDs to exclude from a query, providing a string instead of an array causes the sanitization check to be bypassed. This allows raw, malicious SQL commands to be injected directly into the database query. By nesting this injection within the confused batch request, an attacker can achieve Remote Code Execution (RCE) by manipulating database values that the application later executes.
Chronology of Discovery and Disclosure
The discovery of the wp2shell chain involved multiple independent research teams, highlighting the complexity of the WordPress core. Adam Kues, a researcher at Assetnote—the attack surface management division of Searchlight Cyber—identified the batch-route confusion bug. Following responsible disclosure protocols, Kues reported the findings through the WordPress bug bounty program hosted on HackerOne.

Simultaneously, the SQL injection vulnerability was reported by a group of independent researchers, including TF1T, dtro, and haongo. By early July 2026, the WordPress security team realized that these two separate issues could be chained together to create a pre-authentication RCE—the most dangerous category of software vulnerability.
On Friday, July 17, 2026, the WordPress team released the necessary patches. Recognizing the severity of the situation, they initiated a "forced update" push. While WordPress typically allows site administrators to opt-out of major version updates, the core team utilized the emergency auto-update system to ensure that as many sites as possible were protected within a 24-hour window. By July 18, 2026, the full technical mechanism of the exploit was published by security researchers who had analyzed the patch, and a working Proof-of-Concept (PoC) was made available on GitHub, significantly increasing the risk for sites that have not yet updated.
Impact Analysis: A Reach of Over 500 Million Sites
The scale of the potential impact is staggering. According to data provided by Searchlight Cyber, WordPress powers over 500 million websites, accounting for approximately 43% of all sites on the internet. While not every site is vulnerable to the full RCE chain, the risk is concentrated in the most modern versions of the software.
The RCE chain specifically targets versions 6.9 and 7.0. Version 6.9 was released on December 2, 2025, meaning any site updated within the last eight months is potentially in the line of fire. Sites running version 6.8 are not susceptible to the full RCE because the batch-route confusion bug was introduced in the 6.9 development cycle; however, version 6.8 sites remain vulnerable to the SQL injection (CVE-2026-60137) alone. Consequently, WordPress has also released version 6.8.6 to address the injection flaw for those on older release branches.
A critical factor that narrows the "blast radius" of the RCE is the presence of a persistent object cache. Research from Cloudflare indicates that the code-execution path is only viable on sites that do not utilize a persistent object cache like Redis or Memcached. Unfortunately, a default WordPress installation does not include a persistent object cache, meaning the vast majority of small-to-medium-sized websites remain fully exposed in their default configuration.
Discrepancies in Security Scoring and Industry Reaction
The industry’s reaction to wp2shell has been marked by a debate over the official CVSS (Common Vulnerability Scoring System) scores. While the WordPress security advisory rates the RCE chain as "Critical," the official CVE record initially assigned it a score of 7.5 (High). This discrepancy stems from how vulnerability metrics are calculated. The 7.5 score primarily reflects the impact on data confidentiality, whereas a "Critical" rating (usually 9.0 or higher) would account for the total loss of integrity and availability that comes with code execution.

Security analysts argue that the scoring system often fails to capture the true danger of "chained" vulnerabilities. The SQL injection component alone carries a score higher than 9.1 because of its direct reach into the site’s database. Experts advise system administrators to focus on the "Critical" label provided by the WordPress security team rather than the lower individual CVE scores, as the real-world impact of a server takeover far exceeds "data access."
Major infrastructure providers have already taken action. Cloudflare has deployed specialized Web Application Firewall (WAF) rules to protect its customers from the specific traffic patterns associated with the wp2shell exploit. Similarly, Rapid7 has announced that authenticated vulnerability checks for its InsightVM and Nexpose products will be available by July 20, 2026. As of the latest reports on July 18, the Cybersecurity and Infrastructure Security Agency (CISA) has not yet added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, as there has been no confirmed evidence of mass exploitation in the wild. However, experts warn that this window of safety is rapidly closing now that the PoC code is public.
Mitigation Strategies and Future Outlook
For site administrators who are unable to update to versions 6.9.5 or 7.0.2 immediately, several temporary mitigations have been suggested by Searchlight Cyber. The primary goal of these mitigations is to prevent anonymous users from accessing the vulnerable batch endpoint. These include:
- Restricting REST API Access: Implementing server-level rules to block access to the
/wp-json/batch/v1route for any requests that do not carry a valid authentication token. - WAF Implementation: Utilizing a cloud-based or server-side firewall to filter for malicious SQL strings and abnormal batch request structures.
- Enabling Persistent Caching: While not a fix for the underlying bug, implementing a Redis or Memcached persistent object cache can break the specific chain required for code execution.
However, security professionals emphasize that these are only stopgap measures. The nature of open-source software means that the release of a patch essentially provides a "map" for attackers to reverse-engineer the vulnerability. The "race to patch" is now a competition between automated botnets and the WordPress auto-update system.
The wp2shell event serves as a stark reminder of the risks inherent in the centralized nature of the modern web. With nearly half of the internet relying on a single codebase, a flaw in the core logic of that software becomes a systemic risk to global digital infrastructure. The success of the WordPress team’s forced update strategy will likely be studied by cybersecurity experts for years to come as a case study in emergency large-scale patch management. For now, the priority for every WordPress site owner is clear: verify your version number and ensure that the latest security patches have been successfully applied. If the update curve fails to outpace the exploitation curve, the "wp2shell" incident could become one of the most damaging episodes in the history of the CMS.







