
The WordPress project has released emergency security updates to fix a critical vulnerability chain dubbed wp2shell, that can allow unauthenticated attackers to achieve remote code execution (RCE) on vulnerable websites.
The flaws affect WordPress 6.9 through 7.0.1 and have already prompted warnings that proof-of-concept (PoC) exploits are circulating and early signs of real-world exploitation have emerged.
The wp2shell chain was discovered by Adam Kues of Searchlight Cyber (formerly Assetnote) and responsibly disclosed to the WordPress Security Team. To give administrators time to patch, Searchlight Cyber has withheld technical details of the exploit chain, publishing only a public checker at wp2shell.com that allows site owners to determine whether their WordPress instance is vulnerable.
WordPress powers an estimated 500 million websites worldwide, making vulnerabilities in the core platform particularly significant because they affect installations regardless of whether third-party plugins are installed. According to Searchlight Cyber, the RCE can be exploited by an anonymous attacker against a default WordPress installation with no plugins or special preconditions.
The issue consists of two vulnerabilities addressed in the July 17 security release. The first, tracked as CVE-2026-60137, is a high-severity unauthenticated SQL injection flaw. The second, CVE-2026-63030, is a critical REST API batch-route confusion vulnerability that can be chained with the SQL injection bug to achieve remote code execution.
Wordfence said the RCE stems from the /wp-json/batch/v1 REST API endpoint, where a route validation and dispatch desynchronization can allow attacker-controlled requests to bypass intended restrictions. The security company assigned the flaw a CVSS score of 9.8 and noted that firewall protection was immediately rolled out to Premium, Care, and Response customers, with Free users receiving protection after the standard 30-day delay.
The patched releases are WordPress 7.0.2, 6.9.5, and 6.8.6, although the 6.8 branch is only affected by the SQL injection vulnerability. Due to the severity of the issues, the WordPress project has enabled automatic security updates for supported vulnerable installations.
Security researchers are urging administrators not to delay patching. Benjamin Harris, CEO of watchTowr, said unauthenticated SQL injection and remote code execution vulnerabilities in WordPress core are relatively uncommon, making this disclosure particularly concerning. He added that the company is already seeing PoC exploits for wp2shell in circulation and the first indications of in-the-wild exploitation, highlighting how rapidly attackers are weaponizing newly disclosed vulnerabilities.
For organizations unable to update immediately, Searchlight Cyber recommends temporarily blocking anonymous access to the REST API batch endpoint by disabling unauthenticated REST API access or blocking requests to /wp-json/batch/v1 and the rest_route=/batch/v1 parameter at the web application firewall level. The company also released a temporary mitigation plugin that requires authentication before batch API requests are processed, while noting that these measures may impact legitimate functionality and should only be used until systems can be updated.
WordPress website administrators should update to the latest patched version as soon as possible, verify that automatic updates have completed successfully, and review their servers for signs of compromise or newly deployed backdoors, particularly if patching was delayed.






Leave a Reply