Cybersecurity & Privacy

WordPress Core Suffers Critical Pre-Authentication Remote Code Execution Vulnerability

An anonymous HTTP request can now execute arbitrary code on a WordPress site, impacting a significant portion of the platform’s user base. The vulnerability, discovered in WordPress’s core codebase, means even a fresh installation devoid of any plugins is susceptible to exploitation. This critical flaw affected all WordPress versions 6.9 and 7.0 prior to the release of patched versions 6.9.5 and 7.0.2 on July 17, 2026, which WordPress then pushed out via its automatic update system, termed "forced updates."

The discovery of this serious security loophole was made by Adam Kues, an independent security researcher associated with Assetnote, the attack surface management division of Searchlight Cyber. Kues reported the vulnerability through WordPress’s official HackerOne bug bounty program. The detailed technical write-up, published under the moniker "wp2shell," highlights the alarming nature of the exploit, stating that it "has no preconditions and can be exploited by an anonymous user." This means an attacker does not need any prior access or credentials to compromise a vulnerable WordPress installation.

For now, Searchlight Cyber has opted to withhold the intricate technical details of the exploit. Instead, they have launched a dedicated website, wp2shell.com, which serves as a diagnostic tool, allowing website owners to test their WordPress instances and determine if they are affected by the vulnerability. This approach aims to provide immediate recourse for website administrators while the full technical disclosure is pending.

Chronology of the Vulnerability and Patch

The timeline of this vulnerability reveals a race against time between discovery and mitigation.

  • Prior to July 17, 2026: WordPress versions 6.9 and 7.0, including any intermediate releases within these branches, were vulnerable to the pre-authentication Remote Code Execution (RCE) exploit. This flaw allowed an unauthenticated attacker to gain control over a website by sending a specially crafted HTTP request.
  • December 2, 2025: Version 6.9 of WordPress was initially released. This marked the beginning of the vulnerable code being present in the ecosystem.
  • November 2020: The REST API batch framework, which became central to this vulnerability, was introduced in WordPress 5.6. While the framework itself is not new, a change in WordPress 6.9 introduced the vulnerability that allowed it to be exploited.
  • July 17, 2026: WordPress addressed the critical pre-authentication RCE vulnerability by releasing patched versions: WordPress 6.9.5 and WordPress 7.0.2. These updates were automatically pushed to a majority of WordPress sites through the platform’s auto-update mechanism.
  • July 17, 2026 (Continued): WordPress 7.1 beta 2 also incorporated the fix for this specific vulnerability.
  • July 17, 2026 (Continued): Separately, a different SQL injection bug in WordPress 6.8 led to the release of version 6.8.6. This indicates a broader security focus within the WordPress ecosystem at this time.
  • July 18, 2026: As of this date, no exploitation attempts had been publicly reported. The absence of a CVE (Common Vulnerabilities and Exposures) identifier and a lack of readily available exploitation signatures contributed to this initial quiet period.

Understanding the Technical Nature of the Flaw

WordPress, in its official release post for version 7.0.2, provided a more detailed, albeit technical, description of Kues’s discovery. The flaw is characterized as "a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution." This means that a misconfiguration or misunderstanding in how the REST API handles batch requests, combined with a vulnerability that allows for SQL injection, ultimately paved the way for attackers to execute their own code on the server.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The WordPress release notes for 7.0.2 mention that the update addresses one critical and one high-severity flaw. It is not explicitly stated which of these corresponds to Kues’s discovery, but given the description, it is highly probable that Kues’s finding is the critical RCE vulnerability.

The files modified in version 7.0.2 to address both vulnerabilities are listed as:

  • /wp-includes/rest-api/class-wp-rest-server.php
  • /wp-includes/class-wp-query.php
  • /wp-includes/rest-api.php

The REST API batch endpoint itself is not a new feature, having been available since WordPress 5.6 in November 2020 and publicly documented since then. The specific change in WordPress 6.9 that created the exploitable condition remains undisclosed by either WordPress or the reporting researcher.

Impact and Scope of the Vulnerability

The potential impact of this vulnerability is substantial. WordPress powers an estimated 40% of all websites globally, a figure that translates to hundreds of millions of active sites. However, the vulnerable code was introduced with WordPress 6.9, released on December 2, 2025. This means that only sites running version 6.9 or 7.0, and which were not updated to the patched versions, are at risk. While this narrows the scope compared to the entire WordPress install base, it still represents a significant number of potentially vulnerable websites, particularly those running software less than eight months old.

Crucially, the exploit targets a "pre-authentication" vulnerability. This means that an attacker does not need to log in or possess any user credentials to initiate the attack. The exploit can be triggered by simply sending an anonymous HTTP request to a vulnerable server. This significantly lowers the barrier to entry for malicious actors, making it an attractive target for automated attacks and botnets.

Official Responses and Mitigation Strategies

WordPress’s swift action in releasing patched versions and implementing forced updates demonstrates a commitment to user security. The "forced updates" feature, while sometimes a point of contention for users who prefer manual control, proves invaluable in rapidly patching widespread vulnerabilities like this one. However, WordPress has not explicitly stated whether this forced push extends to sites where automatic updates have been manually disabled. Therefore, website administrators are strongly advised to verify their current WordPress version rather than assuming the update has been applied.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The official release notes for WordPress 6.9.5 and 7.0.2 detail the fixes. While a CVE identifier has not yet been assigned, and consequently, the vulnerability is not yet listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog, website owners are urged to act. Tracking the vulnerability by its version number is the primary means of identification for now.

For website owners who cannot immediately update their WordPress installation, Searchlight Cyber has outlined several stopgap mitigation measures. These are designed to block anonymous access to the vulnerable batch endpoint and include:

  • Web Application Firewall (WAF) Rules: Implementing custom WAF rules to block requests targeting the /wp-json/wp/v2/batch endpoint. This requires careful configuration to avoid blocking legitimate API traffic.
  • Server-Level Access Control: Configuring web server access control (e.g., via .htaccess or Nginx configuration) to restrict access to the batch endpoint, potentially allowing access only from trusted IP addresses.
  • Plugin-Based Access Control: Utilizing security plugins that offer granular control over API endpoints, although the effectiveness of such plugins against a core vulnerability needs careful evaluation.

It is important to note that these mitigation strategies are temporary fixes and may potentially disrupt legitimate functionalities or integrations that rely on the REST API batch endpoint. The primary recommendation remains to update WordPress to the latest secure version as soon as possible.

Broader Implications for the WordPress Ecosystem

The discovery and rapid patching of the "wp2shell" vulnerability underscore several critical aspects of the modern web security landscape, particularly concerning open-source platforms like WordPress.

  • The Open-Source Dilemma: Open-source projects, by their very nature, make their code publicly accessible. This transparency is a double-edged sword. While it allows for community scrutiny and rapid bug identification, it also means that once a vulnerability is publicly disclosed, the "map to the bug" is available to anyone, including malicious actors. The challenge for open-source projects lies in distributing patches faster than attackers can weaponize the disclosed vulnerabilities. WordPress’s swift response, including forced updates, is a testament to their efforts to mitigate this inherent risk.
  • The Rise of Automated Exploitation: The sheer scale of WordPress’s adoption makes it a prime target for automated attacks. As evidenced by past incidents, such as the "WP-SHELLSTORM" campaign exploiting a caching plugin flaw, even vulnerabilities that require non-default settings can lead to widespread compromises. A pre-authentication RCE in core, however, significantly amplifies this threat.
  • The Role of Researchers and Disclosure Policies: The reporting of this vulnerability through HackerOne highlights the effectiveness of structured bug bounty programs. However, the decision by Searchlight Cyber to withhold technical details initially, while providing a testing tool, is a strategic move to give defenders a head start. This contrasts with situations where immediate public disclosure of technical details can lead to rapid exploitation, as seen in some past Drupal vulnerabilities where researchers provided working proofs-of-concept on the same day a fix was released. The industry is continuously evaluating the optimal balance between swift disclosure and providing adequate time for patching.
  • The Importance of Version Management: The incident serves as a stark reminder of the critical importance of timely software updates. Websites running outdated software, even by a few months, can be exposed to significant risks. The lack of a CVE ID for this specific vulnerability means that automated scanning tools and security inventories might not immediately flag affected systems, placing an even greater onus on administrators to stay informed about version-specific security advisories.

As of July 18, 2026, no exploitation attempts had been reported. However, with the technical details of the exploit eventually expected to become public, and the inherent nature of open-source code, it is only a matter of time before attackers begin to probe for vulnerable sites. The battle for online security is often a race, and in this instance, WordPress has pulled the lever on rapid patching, hoping the update reaches its vast user base before the exploit becomes widespread. The true measure of success will be reflected in traffic against the /batch/v1 endpoint and the adoption rates of the patched WordPress versions.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Snapost
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.