Cybersecurity & Privacy

WordPress Core Vulnerabilities "wp2shell" Allow Anonymous Code Execution, Exposing Millions of Sites

July 18, 2026 – A critical security vulnerability, dubbed "wp2shell," has been discovered in the core of the WordPress content management system, enabling anonymous attackers to execute arbitrary code on affected websites. The dual-flaw exploit, initially identified in WordPress versions 6.9 and 7.0, has now been fully disclosed with assigned CVE identifiers, a public proof-of-concept, and a detailed technical breakdown, significantly escalating the risk to the estimated 500 million websites powered by the platform. WordPress has since issued emergency updates, 6.9.5 and 7.0.2, and is employing a forced update mechanism to mitigate the immediate threat.

The vulnerability chain, officially cataloged as CVE-2026-63030 and CVE-2026-60137, leverages a sophisticated two-pronged attack. The first component, CVE-2026-63030, is a REST API batch-route confusion flaw discovered by Adam Kues of Assetnote, the attack surface management division of Searchlight Cyber. This bug, reported through WordPress’s HackerOne bug bounty program, allows for a critical misdirection within the batch processing endpoint. The second, CVE-2026-60137, is a SQL injection vulnerability within WordPress core, independently reported by security researchers TF1T, dtro, and haongo. When chained together, these vulnerabilities bypass authentication, enabling an unauthenticated attacker to achieve remote code execution (RCE) on vulnerable WordPress installations.

The Evolution of the "wp2shell" Threat

The timeline of the "wp2shell" disclosure highlights the rapid pace at which vulnerabilities can be weaponized once technical details become public. The initial discovery by Assetnote focused on the batch-route confusion, a flaw that existed in WordPress versions from 6.9 onwards. This bug, when exploited, could cause processing errors within the REST API’s batch endpoint, leading to requests being handled by unintended functions.

Subsequently, the SQL injection vulnerability was identified, affecting WordPress versions as far back as 6.8. This injection flaw, specifically residing within the WP_Query parameters, particularly the author__not_in argument, allows for the injection of malicious SQL code if it receives a string instead of the expected array. The critical aspect is that the batch-route confusion acts as the gateway, enabling an attacker to reach this vulnerable parameter without any form of authentication.

The full implications of these chained vulnerabilities became starkly apparent following the publication of a comprehensive write-up by Searchlight Cyber under the moniker "wp2shell." This detailed analysis, coupled with the subsequent release of a working proof-of-concept (PoC) on GitHub, transformed a theoretical threat into an immediate and tangible danger. The PoC provided attackers with a readily available tool to exploit the vulnerability, accelerating the potential for widespread compromise.

Technical Breakdown: How the Exploit Works

The "wp2shell" exploit hinges on a critical interaction between two distinct vulnerabilities.

1. The REST API Batch-Route Confusion (CVE-2026-63030):
Introduced in WordPress 5.6 in 2020, the REST API batch framework allows multiple API requests to be bundled into a single HTTP request. This is managed by WordPress using two parallel arrays to track the sub-requests and their corresponding handlers. The vulnerability discovered by Assetnote lies in an error condition within this system. When an error occurs during the processing of one sub-request, it can cause the arrays to become desynchronized. This misalignment means that a subsequent request, even if intended for a different handler, might inadvertently be processed by the handler associated with the corrupted request.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

2. The SQL Injection in WP_Query (CVE-2026-60137):
This vulnerability affects the core WP_Query class, a fundamental component for database interactions in WordPress. Specifically, the author__not_in parameter, designed to exclude posts authored by specific users, is susceptible to SQL injection if a string value is provided instead of the expected array. The validation logic for this parameter fails to correctly sanitize string inputs, allowing raw values to be directly incorporated into the SQL query.

The Chained Attack:
The "wp2shell" exploit effectively uses the REST API batch-route confusion as a conduit to deliver the malicious input to the vulnerable WP_Query parameter. By carefully crafting a batch request that triggers the desynchronization error, an attacker can manipulate the WordPress backend to process their malicious input intended for the author__not_in parameter. This bypasses all authentication and authorization checks, directly injecting the SQL payload and leading to remote code execution.

Affected Versions and Mitigation Efforts

The two vulnerabilities have different version ranges of impact, creating distinct exposure scenarios. The SQL injection vulnerability (CVE-2026-60137) dates back to WordPress version 6.8. However, the critical code-execution path, which requires chaining with the batch-route confusion, is only present in WordPress versions 6.9 and above. The batch-route confusion itself was introduced in WordPress 6.9.

This means that:

  • Websites running WordPress 6.8 are vulnerable to the SQL injection but not to the full unauthenticated RCE chain. WordPress version 6.8.6 includes a patch for the SQL injection alone.
  • Websites running WordPress 6.9 and later, up to the unpatched versions, are vulnerable to the complete "wp2shell" exploit, leading to unauthenticated remote code execution.

WordPress responded swiftly to the disclosure by releasing updated versions:

  • WordPress 6.9.5: Addresses both the SQL injection and the batch-route confusion.
  • WordPress 7.0.2: Addresses both vulnerabilities for the 7.0 branch.

The platform has activated its auto-update system, employing a "forced update" mechanism. This initiative aims to ensure that as many vulnerable sites as possible receive the patch automatically, even those that may have previously disabled automatic updates. However, the effectiveness of this forced push on sites that explicitly disabled auto-updates remains a point of concern for administrators. Users are strongly advised to manually verify their WordPress version and ensure they are running the latest patched releases.

Security Community Reactions and Analysis

The disclosure of "wp2shell" has sent ripples of concern throughout the cybersecurity community. Searchlight Cyber’s decision to hold back its full technical write-up initially, while still providing a checker at wp2shell.com, indicated an awareness of the potential for immediate exploitation once the patch was public. The fact that other researchers could reverse-engineer the patch and publish detailed exploit mechanisms within a day underscores the challenge of containing such vulnerabilities.

The scoring of the vulnerabilities by WordPress and CVE has also drawn attention. WordPress’s own security advisory rates the RCE chain as "Critical." However, the official CVE record assigns a CVSS score of 7.5 (High) for the RCE chain, focusing primarily on data access rather than the full impact of integrity and availability loss typically associated with code execution. The SQL injection vulnerability, independently, receives a score higher than 9.1 (Critical). This discrepancy highlights the importance of looking beyond a single score and understanding the specific attack vectors and their potential consequences. Security professionals emphasize tracking both CVEs independently, rather than relying solely on the "critical RCE" label.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

Cloudflare has noted a specific condition that narrows the blast radius for the code-execution path: the exploit is only effective when a site is not running a persistent object cache, such as Redis or Memcached. While this condition might protect some installations, it does not mitigate the SQL injection vulnerability itself and serves as a temporary, indirect defense rather than a complete solution. Default WordPress installations, which typically lack such caching mechanisms, remain fully exposed to the RCE exploit.

Broader Implications and Future Concerns

The sheer scale of WordPress’s user base means that even a small percentage of vulnerable sites represents millions of potential targets. The platform’s open-source nature, while fostering innovation and transparency, also means that vulnerabilities can be dissected and exploited by a wide array of actors, from security researchers to malicious hackers.

The "wp2shell" incident echoes previous large-scale WordPress compromises, such as the WP-SHELLSTORM campaign which leveraged a caching plugin flaw. The critical difference here is the core nature of the vulnerability and its applicability to a bare, uncustomized WordPress installation. This makes it an attractive target for automated attacks and widespread exploitation.

Analysis of Implications:

  • Increased Attack Surface: The discovery of "wp2shell" significantly expands the attack surface for WordPress users. The ability for anonymous attackers to gain code execution opens the door to a wide range of malicious activities, including website defacement, data theft, malware distribution, and the use of compromised sites as part of botnets.
  • Urgency for Updates: The immediate imperative for website administrators is to update their WordPress installations. The forced update mechanism employed by WordPress is a crucial step, but manual verification remains essential, particularly for sites with custom configurations or those that have disabled auto-updates.
  • Supply Chain Risks: The vulnerability in WordPress core highlights the inherent risks within the software supply chain. Even widely used and seemingly stable platforms can harbor critical flaws that can have far-reaching consequences.
  • Sophistication of Attacks: The chained nature of the "wp2shell" exploit demonstrates a growing sophistication in vulnerability exploitation, requiring attackers to understand and combine multiple weaknesses to achieve their objectives.
  • Post-Exploitation Threats: Once exploited, compromised WordPress sites can be leveraged for various nefarious purposes. This includes phishing campaigns, serving malicious ads, and as staging grounds for further network intrusions.

Recommendations for Website Administrators

For administrators unable to update immediately, Searchlight Cyber has provided temporary mitigation strategies focused on blocking access to the batch endpoint. These include:

  • Web Application Firewall (WAF) Rules: Implementing WAF rules to block requests to /wp-json/batch/v1 can prevent the initial stage of the attack.
  • Server-Level Access Control: Configuring server-level access controls to deny requests to the batch endpoint can offer an additional layer of protection.
  • Rate Limiting: Implementing strict rate limiting on the batch endpoint can help to mitigate brute-force attempts.

However, it is crucial to understand that these are stopgap measures. They may interfere with legitimate integrations and do not fully address the underlying vulnerabilities. The only definitive solution is to update WordPress to a patched version.

The cybersecurity landscape is in a constant state of evolution, and the "wp2shell" incident serves as a stark reminder of the persistent threats facing web applications. As scanners like Rapid7’s InsightVM and Nexpose begin to incorporate checks for these vulnerabilities, and with the potential for CISA to add them to its Known Exploited Vulnerabilities catalog, the pressure to patch will only intensify. The ongoing battle between defenders and attackers will be decided by the speed at which patches are deployed and the vigilance of website owners in securing their digital assets. The global WordPress community now faces the critical task of reinforcing its defenses against this potent, pre-authentication code execution threat.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Snapost
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.