WordPress Issues Emergency Patch for Critical wp2shell Remote Code Execution

by priyanka.patel tech editor
Understanding the Vulnerability

WordPress has released emergency security updates to address a critical remote code execution (RCE) vulnerability in its core software that allows an anonymous user to execute code on a site without requiring plugins or non-default configurations. The vulnerability, identified as “wp2shell,” was discovered by Adam Kues of Assetnote, the attack-surface-management arm of Searchlight Cyber, and reported via the WordPress HackerOne program. Due to the severity of the flaw, WordPress took the rare step of enabling forced auto-updates for affected installations on July 17, 2026.

Understanding the Vulnerability

The vulnerability is a chain of two distinct issues. The first is an SQL injection in the `author__not_in` parameter of `WP_Query`, tracked as CVE-2026-60137. The second is a REST API batch-route confusion issue within the `/wp-json/batch/v1` endpoint, tracked as CVE-2026-63030. While the batch endpoint has been part of WordPress since version 5.6 in 2020, the vulnerability is present in versions 6.9 and later. When chained, these flaws allow an unauthenticated attacker to trigger remote code execution. WordPress core files updated to mitigate these risks include `/wp-includes/rest-api/class-wp-rest-server.php`, `/wp-includes/class-wp-query.php`, and `/wp-includes/rest-api.php`.

Understanding the Vulnerability
Photo: Aikido

Affected Versions and Mitigation

The vulnerability affects specific recent versions of WordPress. Users are advised to verify their current version within their dashboard rather than assuming a forced update has been successfully applied, as it remains unconfirmed whether these pushes reach sites that have explicitly disabled background updates.

Version Status Table

WordPress VersionStatusRemediation
6.9.0 – 6.9.4Vulnerable to RCEUpdate to 6.9.5
7.0.0 – 7.0.1Vulnerable to RCEUpdate to 7.0.2
7.1 BetaVulnerable to RCEUpdate to 7.1 beta2
6.8.xVulnerable to SQLiUpdate to 6.8.6

Versions older than 6.8 are unaffected by either issue.

WordPress 7.0.2 Security Alert: Critical SQLi & RCE Patched

Interim Defensive Measures

For administrators unable to update immediately, Searchlight Cyber suggests several temporary mitigations designed to block anonymous access to the batch endpoint. Each of these carries the risk of disrupting legitimate site integrations: * WAF Configuration: Block both the path `/wp-json/batch/v1` and the query string route `rest_route=/batch/v1`. Blocking only the path is insufficient as it leaves the query-string route open to exploitation. * REST API Access: Disable unauthenticated access to the WordPress REST API entirely. * Must-Use Plugin: Implement a small plugin to reject anonymous requests to `/batch/v1` at `rest_pre_dispatch`.

The Security Landscape

As of July 18, 2026, no exploitation attempts had been reported. However, security experts warn that this silence is likely temporary. Because WordPress is open source, the differences between vulnerable and patched versions are publicly available in the release archives, providing a roadmap for potential attackers. While Searchlight Cyber has provided a checker at `wp2shell.com` for owners to test their instances, the site has experienced intermittent connectivity issues. The firm has opted to withhold technical details for now to provide defenders additional time to apply patches. The urgency of this update stems from the fact that the vulnerability is reachable by any anonymous user. With no CVE-keyed scanners currently capable of flagging this issue—as no CVE records had appeared by July 18—site operators are encouraged to track the vulnerability by version number and prioritize manual verification of their site’s security status.

You may also like