New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

A severe vulnerability, allowing anonymous HTTP requests to execute arbitrary code on WordPress sites, has sent ripples through the internet’s most popular content management system. Tracked under the moniker ‘wp2shell,’ this critical flaw resides within WordPress core, meaning even a bare, plugin-free installation is immediately exploitable. The security incident, which came to light with the release of emergency patches and a public proof-of-concept (PoC), prompted WordPress to leverage its auto-update system for a "forced update" rollout to mitigate the widespread threat.
Unpacking the ‘wp2shell’ Threat: A Chained Vulnerability
The ‘wp2shell’ exploit is not a singular flaw but rather a sophisticated chain of two distinct vulnerabilities, each now carrying its own Common Vulnerabilities and Exposures (CVE) identifier. The first, CVE-2026-63030, relates to a REST API batch-route confusion, a logic error within the system that processes multiple requests simultaneously. The second, CVE-2026-60137, is a classic SQL injection vulnerability discovered within WordPress core. When exploited in sequence, these two bugs enable an unauthenticated attacker to achieve Remote Code Execution (RCE), granting them complete control over the affected WordPress site.
The full mechanism of the attack has since been publicly detailed, and a functional proof-of-concept has been made available on GitHub, escalating the urgency for site administrators to update their installations. This rapid public disclosure following the patch release highlights the ongoing race between security researchers, developers, and malicious actors in the cybersecurity landscape.
Discovery and Disclosure Timeline
The initial discovery of the critical batch-route confusion bug (CVE-2026-63030) is credited to Adam Kues of Assetnote, the attack surface management division of Searchlight Cyber. Kues responsibly reported his findings through WordPress’s established HackerOne bug bounty program, a crucial channel for identifying and addressing security flaws in open-source projects. Separately, the SQL injection vulnerability (CVE-2026-60137) was reported by a collaborative effort of researchers identified as TF1T, dtro, and haongo.
Upon receiving these reports, the WordPress security team initiated its standard protocol of developing and testing patches. The urgency of the situation became evident on Friday, July 17, 2026 (implied from the article’s update date), when WordPress released emergency updates: versions 6.9.5 and 7.0.2. Crucially, WordPress activated its "forced updates" mechanism, a rarely used but vital tool designed to push critical security patches to installations quickly and broadly, bypassing user-configured auto-update preferences in some cases.
By Saturday, July 18, 2026, the situation evolved rapidly. Both vulnerabilities were assigned their official CVE IDs, providing standardized identifiers for tracking and communication within the security community. Furthermore, the complete technical mechanism behind ‘wp2shell’ was published, giving security professionals an in-depth understanding of the exploit. Concurrently, a working proof-of-concept exploit appeared on GitHub, transforming the theoretical threat into a practical and immediate danger for unpatched sites. Searchlight Cyber, while initially withholding its own detailed technical write-up, did provide a checker tool at wp2shell.com for site owners to assess their vulnerability. However, the open-source nature of WordPress and the public availability of the patch code meant that other researchers quickly reverse-engineered the fix to understand the underlying flaw, rendering any reticence largely moot.
The Technical Deep Dive: How ‘wp2shell’ Works
Understanding the intricate dance between the two vulnerabilities is key to appreciating the severity of ‘wp2shell’.
CVE-2026-63030: The REST API Batch-Route Confusion

The WordPress REST API, introduced in version 4.7 (2016) and significantly expanded since, serves as a powerful interface for interacting with WordPress data programmatically. It allows external applications and JavaScript frontends to read and write content, manage users, and perform various administrative tasks. A core component of the REST API is the batch endpoint, specifically /wp-json/batch/v1, which was integrated into WordPress 5.6 in 2020. This endpoint was designed for efficiency, allowing clients to send multiple sub-requests within a single HTTP call, thereby reducing network overhead and improving performance.
The flaw lies in how this batch endpoint processes these concurrent sub-requests. Internally, WordPress manages these requests using two parallel arrays. The vulnerability arises when an error occurs during the processing of one sub-request. Instead of gracefully handling this error and maintaining synchronization, the error causes the two arrays to fall out of step by exactly one position. This desynchronization means that a subsequent request is then processed using the handler intended for a different request.
Attackers exploit this confusion by carefully crafting nested requests. By manipulating the sequence and content of these sub-requests, they can bypass the endpoint’s allow-list, which typically restricts what parameters and values can be passed. This bypass then allows the attacker’s malicious input to be fed into a vulnerable parameter further down the execution chain, leading directly to the SQL injection. The batch-route confusion, critically, was introduced only in WordPress 6.9, making it the linchpin that transforms the SQLi into an unauthenticated RCE for newer installations.
CVE-2026-60137: The SQL Injection Flaw
SQL injection is one of the oldest and most persistent web application vulnerabilities. It occurs when an attacker can insert or "inject" malicious SQL code into an input field, which is then executed by the database. This can lead to unauthorized data access, modification, or even complete control over the database. In the context of ‘wp2shell,’ the SQL injection resides within WP_Query‘s author__not_in parameter. WP_Query is a fundamental WordPress class used to retrieve posts, pages, and other content based on various criteria. The author__not_in parameter is designed to exclude posts by specific author IDs.
The vulnerability arises when the author__not_in parameter, which expects an array of author IDs, is instead supplied with a string. A crucial check designed to ensure the input is an array is bypassed when a string is provided. This oversight allows the raw, unvalidated string value (containing the attacker’s malicious SQL code) to be directly inserted into the SQL query executed by the database.
While SQL injection is inherently severe, often leading to data exfiltration or database compromise, its direct reach usually requires some level of authentication or specific conditions. The genius and danger of ‘wp2shell’ lie in the REST API batch-route confusion (CVE-2026-63030), which provides an unauthenticated pathway to deliver the malicious input to this vulnerable author__not_in parameter, thus elevating the SQL injection’s impact to RCE.
Affected Versions and the Global Update Imperative
The version ranges affected by ‘wp2shell’ are critical for administrators to understand:
- For the full Remote Code Execution (RCE) chain: WordPress versions 6.9 and 7.0 were vulnerable. These have been patched with the release of WordPress 6.9.5 and 7.0.2, respectively. The RCE path specifically relies on the batch-route confusion, which was introduced in WordPress 6.9, released on December 2, 2025. This means sites exposed to the full RCE chain are relatively new installations, less than eight months old.
- For the standalone SQL Injection (SQLi): The SQL injection (CVE-2026-60137) has a longer lineage, extending back to WordPress 6.8. While a 6.8 site is not exploitable for RCE via this specific chain, it remains vulnerable to the SQL injection itself. WordPress addressed this with the release of WordPress 6.8.6, which patches the injection alone.
- Future Releases: WordPress 7.1 beta2, which was in development, incorporates both fixes, ensuring that the next major release will be secure against these specific vulnerabilities.
WordPress’s decision to enable "forced updates" underscores the severity and widespread potential impact of ‘wp2shell.’ While WordPress’s auto-update system is generally robust, many site owners, particularly those managing complex environments or custom setups, often disable automatic updates to prevent unforeseen compatibility issues. WordPress has not explicitly stated whether the forced push reaches sites that have explicitly turned off auto-updates. This ambiguity places a significant burden on administrators to actively verify their current WordPress version and ensure the necessary patches have been applied. Given that over 500 million websites reportedly run WordPress globally – a staggering figure representing a significant portion of the entire internet – the scale of this patching effort is monumental. Even if only a fraction of these sites are running the 6.9+ versions vulnerable to RCE, the number easily reaches into the tens of millions.
Severity Scoring: A Nuanced Perspective
The scoring of vulnerabilities can often be complex and sometimes appears contradictory. In the case of ‘wp2shell,’ the severity ratings present an interesting divergence:

- WordPress’s Official Advisory: The advisory published by WordPress itself (e.g., on GitHub) rates the complete RCE chain as Critical. This reflects the ultimate outcome of the chained exploit: unauthorized code execution, which grants an attacker full control over the site.
- CVE Record Scores: The individual CVE records tell a slightly different story. CVE-2026-63030 (the REST API batch-route confusion) is scored around 7.5 (High). This score often reflects the direct impact of a parsing or logic flaw, which, on its own, might only lead to information disclosure or minor disruption. Crucially, the impact metrics often credit only data access, rather than the integrity or availability loss that would typically be associated with code execution. In contrast, CVE-2026-60137 (the SQL injection) receives a higher score, typically 9.1 or higher (Critical). This higher rating reflects the direct and immediate impact of SQL injection, which can lead to direct database compromise, including data exfiltration, manipulation, and even administrative access.
The apparent discrepancy arises because CVE scores often evaluate individual components rather than the combined impact of a chained exploit. While the batch-route confusion alone might seem less severe, it is the critical link that elevates the SQL injection to an unauthenticated RCE. Therefore, security professionals are strongly advised to track both CVEs and understand their combined effect, rather than relying solely on the individual scores or a single label. The real-world impact of ‘wp2shell’ is unequivocally Critical due to the RCE capability.
Mitigation and Defensive Strategies
While immediate patching is the primary and most effective defense, certain conditions and temporary mitigations exist:
Persistent Object Caching as an Accidental Shield:
One notable condition narrows the blast radius of the RCE path: the code execution aspect of ‘wp2shell’ works only when the WordPress site is not running a persistent object cache. Technologies like Redis or Memcached are frequently used by high-traffic WordPress sites to improve performance by caching database queries and other frequently accessed data in memory. Cloudflare, which quickly deployed Web Application Firewall (WAF) rules in response to the disclosure, noted this specific detail.
A default WordPress installation does not come configured with a persistent object cache, meaning that default-install exposure to the full RCE remains. However, sites that have implemented Redis or Memcached as a persistent object cache may, by virtue of their architecture, be incidentally protected from the RCE path of ‘wp2shell.’ It is crucial to understand that this is a side effect of their caching strategy, not a deliberate security fix, and it does not protect against the underlying SQL injection (CVE-2026-60137), which remains a threat.
Temporary Stopgaps for Unpatched Sites:
For administrators who cannot immediately apply the patch, Searchlight Cyber offered several temporary mitigation strategies. These all revolve around restricting anonymous access to the /wp-json/batch/v1 endpoint. Examples include:
- Implementing WAF rules to block requests to
/wp-json/batch/v1from unauthenticated users. - Configuring server-level (e.g., Nginx, Apache) rules to deny access to this specific endpoint for anonymous requests.
- Using security plugins that offer fine-grained control over REST API access.
It is vital to stress that these are stopgaps only and should not be considered long-term solutions. They come with significant caveats, as blocking access to the batch endpoint can disrupt legitimate integrations and functionalities that rely on the REST API. The ultimate and recommended solution remains to update WordPress immediately to the patched versions.
Broader Industry Response and Future Implications
The cybersecurity industry responded swiftly to the ‘wp2shell’ disclosure. Cloudflare’s rapid deployment of WAF rules provides an immediate layer of protection for its users, automatically filtering malicious traffic attempting to exploit the vulnerability. Security vendors like Rapid7 confirmed that authenticated checks for its InsightVM and Nexpose platforms would be available by July 20, allowing organizations to scan their assets for the vulnerability.
As of July 18, the vulnerability had not yet appeared on CISA’s Known Exploited Vulnerabilities (KEV) catalog. Inclusion in the KEV catalog signifies confirmed active exploitation in the wild, which this vulnerability had not yet seen at the time of the report. However, this absence offers only "thinner comfort than it reads," given the public PoC and the history of mass exploitation in the WordPress ecosystem.
Mass exploitation of WordPress vulnerabilities has unfortunately become a common occurrence. Prior to this event, the "WP-SHELLSTORM" campaign, for instance, leveraged a caching-plugin flaw (already public and patched) to compromise over 17,000 sites. That particular bug, however, required a non-default setting to be exploitable. ‘wp2shell’ is arguably more dangerous: it is a core vulnerability, works on default settings, and now has a public exploit. This combination creates a perfect storm for potential widespread compromise.
For the WordPress ecosystem, this incident underscores several critical challenges:
- The Scale of the Attack Surface: With WordPress powering over 43% of all websites, any core vulnerability has massive implications.
- The Open-Source Dilemma: While transparency is a cornerstone of open-source development, the publication of patches often immediately provides a "map to the bug," accelerating exploit development. The race then becomes about how quickly patches can reach sites versus how quickly attackers can weaponize the information.
- User Responsibility: Despite forced updates, the onus remains on individual site administrators to verify their update status, understand their specific configurations (like persistent object caches), and maintain ongoing security vigilance.
- Continuous Security Investment: This event will likely prompt WordPress core developers to redouble efforts in security audits, code reviews, and bug bounty programs to proactively identify and fix vulnerabilities before they can be exploited.
In conclusion, the ‘wp2shell’ vulnerability represents a significant security event for the internet. Its critical nature, ease of exploitation via anonymous access, and presence in WordPress core necessitate immediate action from site administrators worldwide. While WordPress has pulled the lever hard on forced updates, the availability of a public exploit means the battle is now a race against time. The future memory of ‘wp2shell’ will hinge on which curve proves steeper: the widespread adoption of patches or the inevitable surge in malicious scan traffic targeting batch/v1 endpoints.







