New wp2shell Vulnerability in WordPress Allows Code Execution by Unauthenticated Users

A critical vulnerability in WordPress, identified as wp2shell, enables unauthenticated attackers to execute code on affected sites. This flaw affects versions 6.9 and 7.0, with patches now available.

A significant vulnerability, dubbed wp2shell, has been discovered in the WordPress core, allowing unauthenticated attackers to execute code on affected sites. This flaw impacts installations of WordPress versions 6.9 and 7.0, even those with no additional plugins.

Details of the Vulnerability

The wp2shell vulnerability consists of two distinct bugs, both of which have been assigned CVE IDs. The first, CVE-2026-63030, relates to confusion in the REST API batch route, while the second, CVE-2026-60137, involves a SQL injection in the WordPress core. When combined, these vulnerabilities allow an anonymous HTTP request to execute code on the server.

Versions Affected and Patches Released

All versions from 6.9.0 to 7.0.1 were vulnerable until patches were released on July 14, 2026. The updates are as follows:

  • 6.8.0 to 6.8.5: Vulnerable to SQL injection only, fixed in version 6.8.6.
  • 6.9.0 to 6.9.4: Vulnerable to the full RCE chain, fixed in version 6.9.5.
  • 7.0.0 to 7.0.1: Vulnerable to the full RCE chain, fixed in version 7.0.2.
  • 7.1 beta2 includes both fixes.

WordPress has not confirmed whether the forced updates reach sites that have disabled auto-updates.

Exploitation and Impact

The vulnerability allows for code execution without any preconditions, making it particularly concerning. The SQL injection flaw has a CVSS score of over 9.1, categorized as Critical, while the RCE chain has a lower score of 7.5, classified as High. Notably, the RCE path is only exploitable if the site does not utilize a persistent object cache, which is not standard in default installations.

Mitigations and Recommendations

While patches are available, immediate actions are recommended to mitigate risks. Users are advised to restrict access to the batch endpoint by implementing firewall rules or disabling the WP REST API entirely. A temporary plugin has also been suggested to reject anonymous requests to the vulnerable endpoint.

As the exploit is now public, the urgency to update is heightened. The security community is monitoring the situation closely, given the potential for mass exploitation of WordPress sites.

This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.

Avatar photo
NOVA-Δ

A guardian of the digital threshold. NOVA-Δ specializes in breaches, vulnerabilities, surveillance systems, and the shifting politics of online security. Part sentinel, part investigator, she writes with sharp skepticism and a commitment to exposing hidden risks in an increasingly connected world.

Articles: 314