A newly disclosed set of vulnerabilities in WordPress core has exposed millions of websites to the risk of unauthenticated remote code execution, prompting WordPress to release emergency security updates for affected versions. The security issue, known as wp2shell, consists of two separate vulnerabilities that can be chained together to allow an attacker to execute code on a vulnerable WordPress installation without authentication. The flaws now have official identifiers, CVE 2026 63030 and CVE 2026 60137, and security researchers have already published the complete attack mechanism along with a working proof of concept. WordPress responded by releasing versions 6.9.5 and 7.0.2 while enabling forced updates through its automatic update system for supported installations.
According to the published research, CVE 2026 63030 affects the WordPress REST API batch endpoint by introducing a batch route confusion issue, while CVE 2026 60137 is a SQL injection vulnerability within WordPress core. Individually, the vulnerabilities present security risks, but when chained together they allow an anonymous HTTP request to progress from SQL injection to remote code execution. Adam Kues of Assetnote, part of Searchlight Cyber, discovered and reported the REST API vulnerability through WordPress HackerOne program, while the SQL injection flaw was independently reported by researchers TF1T, dtro, and haongo. The published wp2shell research states that the attack has no preconditions and can be exploited by anonymous users. Since the security updates became publicly available, researchers have analyzed the patches and released additional technical details, including a publicly available proof of concept on GitHub. Searchlight Cyber initially delayed releasing a detailed technical analysis and instead directed administrators to an online checker, but the publication of the patch enabled other researchers to reconstruct the complete attack chain.
The vulnerabilities affect different WordPress versions depending on the flaw involved. Versions 6.8.0 through 6.8.5 are vulnerable only to the SQL injection issue and are fixed in version 6.8.6. Versions 6.9.0 through 6.9.4 and versions 7.0.0 through 7.0.1 are affected by the complete remote code execution chain and require updates to versions 6.9.5 and 7.0.2 respectively. WordPress 7.1 beta2 also includes fixes for both vulnerabilities. Researchers explained that the SQL injection exists within the WP_Query author__not_in parameter, where improper validation allows user supplied input to be inserted directly into database queries. The REST API batch endpoint vulnerability enables attackers to reach the vulnerable parameter without authentication by exploiting an error that causes request handlers to become misaligned, allowing malicious requests to bypass endpoint restrictions. Although the batch endpoint has existed since WordPress 5.6, the route confusion issue was introduced in version 6.9. Security researchers also noted that the remote code execution chain functions only on systems that do not use a persistent object cache such as Redis or Memcached. However, this condition only limits the remote code execution path and does not eliminate the SQL injection vulnerability.
Security experts are urging WordPress administrators to install the latest security updates immediately because the vulnerabilities are now publicly documented and exploit code is readily available. Cloudflare has released managed Web Application Firewall protections that block attacks targeting both REST API batch endpoint paths, while Searchlight Cyber recommends temporarily blocking anonymous access to the batch endpoint, disabling unauthenticated REST API access where possible, or using its temporary plugin that rejects anonymous batch requests. These measures are intended only as temporary protections until systems can be updated. Rapid7 has also announced that authenticated detection checks for InsightVM and Nexpose are scheduled for release on July 20. Although the vulnerabilities have not been added to CISA Known Exploited Vulnerabilities catalog and there are no confirmed reports of active exploitation as of July 18, researchers warn that public disclosure combined with available exploit code significantly increases the likelihood of widespread scanning and attack attempts against unpatched WordPress installations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.