New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The critical nature of the situation escalated on July 18, 2026, when official Common Vulnerabilities and Exposures (CVE) identifiers were assigned to the flaws and a functional proof-of-concept (PoC) was published on GitHub. WordPress has responded with an unprecedented "forced update" campaign, pushing security patches to millions of sites through its automated update infrastructure to mitigate what experts describe as a "worst-case scenario" for web security.
The Technical Foundations of wp2shell
The wp2shell exploit is not a single bug but a sophisticated chain of two separate vulnerabilities that, when combined, allow an anonymous attacker to execute arbitrary code on a target server. The first component, identified as CVE-2026-63030, involves a logic error in the WordPress REST API’s batch processing route. The second component, CVE-2026-60137, is a high-severity SQL injection vulnerability located within the WordPress core query engine.
The discovery began with Adam Kues, a researcher at Assetnote—the attack surface management division of Searchlight Cyber. Kues identified the batch-route confusion during a deep-dive audit of the WordPress REST API and reported the finding through the WordPress bug bounty program hosted on HackerOne. Simultaneously, the SQL injection component was independently discovered and reported by a group of researchers including TF1T, dtro, and haongo.
The vulnerability chain is particularly potent because it bypasses the standard authentication requirements of the WordPress REST API. Under normal circumstances, many administrative or data-sensitive API endpoints require valid user credentials. However, the batch-route confusion allows an attacker to "trick" the server into processing a restricted request as if it were a public, unauthenticated one.
Understanding the Exploitation Mechanism
The core of the wp2shell attack lies in how WordPress handles nested requests. The /wp-json/batch/v1 route was introduced in WordPress 5.6 to allow developers to perform multiple API actions within a single HTTP request, reducing latency and overhead. The system tracks these sub-requests using parallel arrays to manage handlers and data.
According to technical analysis provided by Searchlight Cyber, a specific error-handling flaw in the batch processing logic allows these parallel arrays to become desynchronized. By sending a carefully crafted, malformed sub-request that triggers a specific error state, an attacker can knock the internal pointer out of alignment. This causes a subsequent sub-request—which would normally be blocked for an anonymous user—to be executed under the handler of a previous, permitted request.
Once the attacker has bypassed the authentication layer via CVE-2026-63030, they leverage CVE-2026-60137 to interact with the database. The SQL injection exists within the author__not_in parameter of the WP_Query class. In a standard operation, this parameter expects an array of author IDs to exclude from a query. However, the core code fails to properly validate the input if a string is provided instead of an array. By passing a raw string containing malicious SQL commands, an attacker can break out of the intended query and execute arbitrary database commands.

In a default WordPress configuration, this database access can be escalated to full remote code execution. By manipulating the database to alter site options or inject malicious payloads into the plugin/theme management system, an attacker can gain the ability to run PHP code on the underlying server, effectively seizing control of the entire website and its hosting environment.
Timeline of Discovery and Remediation
The timeline of the wp2shell disclosure highlights the rapid pace of modern vulnerability research and the challenges of securing a platform that powers over 40% of the internet.
- December 2, 2025: WordPress 6.9 is released, inadvertently introducing the batch-route confusion logic that would later become a key component of the wp2shell chain.
- Early 2026: Researchers at Assetnote and other independent security firms identify the SQL injection and API routing flaws.
- July 10, 2026: Detailed reports are submitted to the WordPress security team via HackerOne.
- July 15, 2026: WordPress developers finalize patches for the vulnerabilities and begin preparing for a massive rollout.
- July 17, 2026: WordPress officially releases versions 6.9.5, 7.0.2, and 6.8.6. The company initiates a "forced update" for all managed sites, bypassing some user-defined update restrictions to ensure immediate protection.
- July 18, 2026: CVE IDs are assigned, and technical write-ups are published by Searchlight Cyber and Cloudflare. A working proof-of-concept exploit is uploaded to GitHub by third-party researchers who reverse-engineered the patch.
- July 20, 2026 (Projected): Major security scanning vendors, including Rapid7, are expected to deploy authenticated and unauthenticated checks for their vulnerability management platforms.
Impact Analysis and Affected Versions
The "blast radius" of wp2shell is determined by the specific versions of WordPress in use. While the SQL injection (CVE-2026-60137) is present in versions as old as 6.8, the critical RCE chain only becomes possible in versions 6.9 and 7.0 due to the presence of the REST API batch confusion.
The impact is segmented as follows:
- WordPress 7.0 and 6.9: Highly vulnerable to unauthenticated RCE. This represents the newest and most widely used versions of the software.
- WordPress 6.8: Vulnerable to SQL injection but not the unauthenticated RCE chain via the batch endpoint. While less severe than RCE, the SQL injection still allows for significant data exfiltration or site defacement.
- WordPress 7.1 Beta 2: This developmental version already contains the necessary security fixes.
Searchlight Cyber estimates that while over 500 million websites use WordPress, the specific number of exposed sites is likely in the tens of millions, specifically those that have updated to version 6.9 or higher since December 2025 but have not yet applied the July 17 patches.
A notable mitigating factor has been identified by Cloudflare. The RCE path appears to be blocked on sites utilizing a persistent object cache, such as Redis or Memcached. These caching layers change the way WP_Query interacts with the database and the file system, inadvertently breaking the attacker’s ability to achieve code execution. However, Cloudflare warns that this is a "side effect of configuration" rather than a true security fix, as the underlying SQL injection remains exploitable for data theft.
Official Responses and Industry Reaction
The decision by WordPress to utilize "forced updates" has sparked a debate within the web administration community. While many security professionals applaud the move as a necessary measure to prevent a global "zombie" network of compromised sites, some administrators expressed concern over the potential for updates to break customized site functionality.
In an official security advisory, the WordPress core team stated, "The security of our users is our highest priority. Given the unauthenticated nature of this vulnerability and its potential for widespread exploitation, we have taken the exceptional step of pushing these updates to all sites capable of receiving them. We urge all administrators to manually verify their site version to ensure the patch has been successfully applied."

Major web security vendors have also stepped in. Cloudflare has already deployed specialized Web Application Firewall (WAF) rules to its global network to block attempts to exploit the /wp-json/batch/v1 route. Similarly, Searchlight Cyber launched a public "checker" tool at wp2shell.com, allowing site owners to verify if their domains are vulnerable without performing a full-scale penetration test.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has not yet added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, as there have been no confirmed reports of mass exploitation in the wild as of July 18. However, security analysts warn that the window of safety is closing rapidly now that a public PoC is available.
Broader Implications for the WordPress Ecosystem
The wp2shell incident serves as a stark reminder of the risks associated with "monocultures" in software. Because WordPress powers such a vast percentage of the web, a single flaw in its core code can have systemic implications for the global digital economy.
The "WP-SHELLSTORM" incident of June 2026, which saw over 17,000 sites compromised via a caching plugin flaw, was previously considered a major event. However, wp2shell is significantly more dangerous because it does not rely on third-party plugins. It targets the very foundation of the CMS.
For site administrators, the primary takeaway is the necessity of a multi-layered defense strategy. Relying solely on the CMS’s internal security is no longer sufficient. Recommendations for immediate action include:
- Immediate Verification: Manually check the WordPress version to ensure it is 6.9.5, 7.0.2, or 6.8.6.
- Endpoint Restriction: If possible, disable or restrict access to the
/wp-json/batch/v1API route at the server or WAF level until the update is confirmed. - Database Hardening: Implement the principle of least privilege for the database user that WordPress uses, limiting its ability to execute administrative commands or access sensitive system tables.
- Adoption of Caching: While not a fix, implementing a persistent object cache like Redis can provide an additional layer of protection against certain RCE vectors.
As the update continues to roll out, the security community will be closely monitoring scan traffic. The race between automated patch delivery and the mobilization of threat actors will determine whether wp2shell becomes a historical footnote or one of the most damaging cyberattacks of the decade. The speed with which researchers were able to weaponize the patch serves as a final, urgent warning: in the modern era of disclosure, the time to patch is measured in hours, not days.






