WordPress has released emergency security updates to address a critical remote code execution (RCE) vulnerability in its core software that allows an anonymous user to execute code on a site without requiring plugins or non-default configurations. The vulnerability, identified as “wp2shell,” was discovered by Adam Kues of Assetnote, the attack-surface-management arm of Searchlight Cyber, and reported via the WordPress HackerOne program. Due to the severity of the flaw, WordPress took the rare step of enabling forced auto-updates for affected installations on July 17, 2026.
Understanding the Vulnerability
The vulnerability is a chain of two distinct issues. The first is an SQL injection in the `author__not_in` parameter of `WP_Query`, tracked as CVE-2026-60137. The second is a REST API batch-route confusion issue within the `/wp-json/batch/v1` endpoint, tracked as CVE-2026-63030. While the batch endpoint has been part of WordPress since version 5.6 in 2020, the vulnerability is present in versions 6.9 and later. When chained, these flaws allow an unauthenticated attacker to trigger remote code execution. WordPress core files updated to mitigate these risks include `/wp-includes/rest-api/class-wp-rest-server.php`, `/wp-includes/class-wp-query.php`, and `/wp-includes/rest-api.php`.

Affected Versions and Mitigation
The vulnerability affects specific recent versions of WordPress. Users are advised to verify their current version within their dashboard rather than assuming a forced update has been successfully applied, as it remains unconfirmed whether these pushes reach sites that have explicitly disabled background updates.
Version Status Table
| WordPress Version | Status | Remediation |
|---|---|---|
| 6.9.0 – 6.9.4 | Vulnerable to RCE | Update to 6.9.5 |
| 7.0.0 – 7.0.1 | Vulnerable to RCE | Update to 7.0.2 |
| 7.1 Beta | Vulnerable to RCE | Update to 7.1 beta2 |
| 6.8.x | Vulnerable to SQLi | Update to 6.8.6 |
Versions older than 6.8 are unaffected by either issue.
Interim Defensive Measures
For administrators unable to update immediately, Searchlight Cyber suggests several temporary mitigations designed to block anonymous access to the batch endpoint. Each of these carries the risk of disrupting legitimate site integrations: * WAF Configuration: Block both the path `/wp-json/batch/v1` and the query string route `rest_route=/batch/v1`. Blocking only the path is insufficient as it leaves the query-string route open to exploitation. * REST API Access: Disable unauthenticated access to the WordPress REST API entirely. * Must-Use Plugin: Implement a small plugin to reject anonymous requests to `/batch/v1` at `rest_pre_dispatch`.
The Security Landscape
As of July 18, 2026, no exploitation attempts had been reported. However, security experts warn that this silence is likely temporary. Because WordPress is open source, the differences between vulnerable and patched versions are publicly available in the release archives, providing a roadmap for potential attackers. While Searchlight Cyber has provided a checker at `wp2shell.com` for owners to test their instances, the site has experienced intermittent connectivity issues. The firm has opted to withhold technical details for now to provide defenders additional time to apply patches. The urgency of this update stems from the fact that the vulnerability is reachable by any anonymous user. With no CVE-keyed scanners currently capable of flagging this issue—as no CVE records had appeared by July 18—site operators are encouraged to track the vulnerability by version number and prioritize manual verification of their site’s security status.
- Skyroot Aerospace Readies Vikram-1 for Historic First Orbital Space Launch
- Honey Bee Larvae Lack Sense of Smell Due to Extreme Social Dependence
- China-Africa Partnership: Africa CDC Receives Emergency Support (archyde.com)
- Bay County Sheriff’s Office Issues Arrest Warrant for Cruz Vigil (news-usa.today)
