Massive Security Flaw in WordPress Core Identified as wp2shell Enables Unauthenticated Remote Code Execution Across Millions of Websites

The global cybersecurity community is currently navigating the fallout of a critical vulnerability disclosure affecting the world’s most popular content management system, WordPress. Identified as "wp2shell," the vulnerability represents a sophisticated chain of two distinct security flaws within the WordPress core software, allowing an anonymous, unauthenticated attacker to execute arbitrary code on a target server. Unlike many previous high-profile WordPress exploits that relied on third-party plugins or themes, wp2shell resides in the fundamental codebase of the application, meaning that even a "bare-metal" installation with no active plugins is susceptible to takeover. The disclosure has prompted an emergency response from the WordPress security team, which has deployed forced automated updates to protect an estimated 500 million websites that form the backbone of the modern internet.
The Discovery and Disclosure Timeline
The vulnerability research began with Adam Kues, a researcher at Assetnote, the attack surface management division of Searchlight Cyber. Kues identified a critical flaw in how the WordPress REST API handles batch requests. This discovery was reported through the WordPress Bug Bounty program on HackerOne, a platform used by the organization to coordinate with independent security researchers. As the investigation deepened, it became clear that the REST API flaw could be paired with a separate SQL injection vulnerability reported independently by several other researchers, including individuals identified as TF1T, dtro, and haongo.
On July 18, 2026, the situation escalated when technical details and a working proof-of-concept (PoC) were published on GitHub. While Searchlight Cyber initially attempted to withhold the full technical mechanism to give administrators time to patch, the release of WordPress versions 6.9.5 and 7.0.2 effectively made the fix public. In the world of open-source software, a patch often serves as a roadmap for attackers; by comparing the old code to the new code, researchers and malicious actors alike can reverse-engineer the original flaw. This reality forced a transition from coordinated disclosure to a race against active exploitation.
The WordPress security team took the rare step of utilizing its "forced update" mechanism. While WordPress typically allows site administrators to choose whether to automate minor or major updates, the severity of wp2shell led the core team to push the security patches directly to all reachable installations. However, concerns remain regarding sites that have explicitly disabled the auto-update system or are running in environments with restricted outbound connectivity, leaving a significant portion of the web potentially exposed.
Technical Deep Dive: The Mechanics of wp2shell
The wp2shell exploit is a "chain," meaning it requires the successful execution of two separate bugs to achieve its final goal of Remote Code Execution (RCE). The individual vulnerabilities have been assigned the identifiers CVE-2026-63030 and CVE-2026-60137.
CVE-2026-60137: The SQL Injection Vulnerability
The first component of the chain is a SQL injection vulnerability located within the WP_Query class, specifically involving the author__not_in parameter. WP_Query is the primary tool used by WordPress to fetch content from the database. Under normal circumstances, the author__not_in parameter expects an array of user IDs to exclude from a search. The vulnerability arises because the code fails to strictly enforce this array requirement. If a specifically crafted string is provided instead of an array, the internal validation logic is bypassed. This allows an attacker to "drop" raw SQL commands into the query, which the database then executes. While SQL injection is a severe flaw on its own, it usually requires some level of administrative access or a specific front-end form to exploit.
CVE-2026-63030: The REST API Batch-Route Confusion
The second and perhaps more critical component is the REST API batch-route confusion. Introduced in WordPress version 5.6, the /wp-json/batch/v1 endpoint was designed to improve performance by allowing multiple API requests to be bundled into a single HTTP call. The system processes these requests in parallel, using two internal arrays to track the requests and their corresponding handlers.

The flaw discovered by Adam Kues involves an error-handling mismatch. When one sub-request within a batch fails or triggers a specific error condition, the internal tracking arrays can fall out of synchronization. This "off-by-one" error causes a subsequent request to be processed by a handler it was never intended for. By nesting these requests, an attacker can trick the system into bypassing the standard REST API allow-list. This effectively allows an unauthenticated, anonymous user to reach internal functions—like the vulnerable WP_Query class—that should be protected by login requirements.
The RCE Chain
When combined, these two bugs create a catastrophic security failure. An anonymous attacker sends a complex, nested batch request to the WordPress REST API. The batch-route confusion (CVE-2026-63030) allows the attacker to bypass authentication and access the WP_Query logic. Once there, the attacker utilizes the SQL injection (CVE-2026-60137) to manipulate the database. In many WordPress environments, control over the database can be escalated to code execution on the server by modifying site options, creating rogue administrative users, or injecting malicious PHP code into the theme or plugin editors.
Impact Analysis and Affected Versions
The scope of the wp2shell vulnerability is determined by the version of WordPress a site is running. While the SQL injection flaw (CVE-2026-60137) is present in older versions dating back to WordPress 6.8, the specific REST API batch confusion (CVE-2026-63030) that enables unauthenticated RCE was only introduced in version 6.9.
As a result, the risk profile is split:
- WordPress 6.8.x: These sites are vulnerable to the SQL injection but cannot be exploited for RCE via the wp2shell chain. A patch (6.8.6) has been released to address the injection flaw.
- WordPress 6.9 and 7.0: These versions contain both flaws and are fully exploitable for unauthenticated RCE. Sites running these versions are at the highest risk and must be updated to 6.9.5 or 7.0.2 immediately.
- WordPress 7.1 Beta: Early testers were protected starting with Beta 2, which integrated both fixes.
The timing of the vulnerability is particularly notable. Version 6.9 was released in December 2025, meaning the window of exposure for the RCE chain is less than eight months. Despite this relatively short window, the massive adoption rate of WordPress means that millions of sites were in the "blast radius" at the time of disclosure.
Industry Reactions and Mitigation Strategies
The cybersecurity industry has responded with urgency. Cloudflare, one of the world’s largest web infrastructure providers, announced that it had deployed specialized Web Application Firewall (WAF) rules to block wp2shell attack patterns even before the full technical details were public. Cloudflare’s research also highlighted a specific condition that affects the exploit’s reliability: the RCE path appears to be significantly hindered if a site is utilizing a persistent object cache, such as Redis or Memcached. While a persistent cache is not a "fix," it changes the way WordPress handles memory and database queries, potentially breaking the attacker’s ability to chain the two bugs.
Security scanning firms like Rapid7 have integrated checks for the vulnerabilities into their platforms, including InsightVM and Nexpose. However, these checks are primarily "authenticated," meaning they confirm the version of the software rather than simulating the unauthenticated attack itself.

For administrators who are unable to update their WordPress core immediately due to legacy compatibility issues, Searchlight Cyber has suggested several temporary "stopgap" measures. These include:
- Disabling the Batch Endpoint: Using a code snippet or a security plugin to completely disable the
/wp-json/batch/v1route. This breaks the first link in the exploit chain. - Restricting REST API Access: Limiting REST API access to authenticated users only, though this can break front-end functionality for some modern themes.
- WAF Implementation: Utilizing a cloud-based or server-side firewall to filter for anomalous nested JSON payloads directed at the batch API.
Experts warn that these are temporary mitigations and do not address the underlying SQL injection flaw, which could potentially be reached through other, yet-to-be-discovered vectors.
Historical Context and Broader Implications
The wp2shell disclosure arrives at a time when WordPress security is under intense scrutiny. In June 2026, the leak of a server belonging to a threat actor group known as WP-SHELLSTORM revealed that they had successfully compromised over 17,000 websites using a previously patched vulnerability in a popular caching plugin. The fact that wp2shell exists in the core software and works on default settings makes it a much more potent tool for mass exploitation.
The incident underscores a fundamental tension in open-source security: the "Map to the Bug" dilemma. When a project as large as WordPress ships a security fix, it essentially provides a blueprint for attackers to target those who haven’t updated yet. The decision to use forced updates reflects the WordPress Foundation’s recognition that the speed of the "patch-to-exploit" cycle has reached a point where manual administrator intervention is often too slow.
Conclusion
As of July 18, 2026, there have been no confirmed reports of mass exploitation in the wild, but security researchers warn that the "quiet period" is likely to be short-lived. With a public PoC available on GitHub, script-kiddies and sophisticated state-sponsored actors alike now have the tools necessary to scan the internet for unpatched WordPress 6.9 and 7.0 installations.
The wp2shell event serves as a stark reminder of the risks associated with the centralized nature of the modern web. When a single software core powers nearly half of all websites, a single flaw can become a systemic risk. Site owners are urged to verify their current WordPress version immediately and ensure that the emergency patches have been successfully applied. The coming weeks will determine whether the WordPress core team’s aggressive "forced update" strategy was enough to outpace the inevitable wave of automated attacks.






