Wp2shell: Critical Pre-Authentication RCE Vulnerability Strikes WordPress Core, Impacting Hundreds of Millions of Websites

A critical vulnerability chain, dubbed "wp2shell," has been identified in WordPress core, enabling unauthenticated remote code execution (RCE) on an estimated hundreds of millions of websites. This severe flaw, which leverages two distinct bugs – a REST API batch-route confusion (CVE-2026-63030) and a SQL injection (CVE-2026-60137) – allows an anonymous HTTP request to gain control over a vulnerable WordPress site. The exploit requires no preconditions and impacts bare WordPress installations without any plugins, underscoring the gravity of the situation for the world’s most popular content management system. Following its discovery and the rapid development of a working proof-of-concept (PoC), WordPress promptly released patches 6.9.5 and 7.0.2 on Friday, July 17, 2026, and initiated forced updates through its auto-update system to mitigate the widespread threat.
The Anatomy of wp2shell: A Chained Attack
The wp2shell vulnerability is not a singular flaw but a sophisticated chain of two separate, high-impact bugs. Each vulnerability, while significant on its own, becomes catastrophic when linked, culminating in unauthenticated RCE.
1. CVE-2026-60137: SQL Injection in WordPress Core
The first component of the chain is a SQL injection vulnerability residing within WordPress core, specifically affecting the author__not_in parameter of the WP_Query class. This parameter is typically designed to accept an array of author IDs to exclude from a query. However, security researchers discovered a critical oversight: if a string value, rather than an expected array, is supplied to author__not_in, the validation check that anticipates an array is bypassed. This allows the raw, unvalidated string to be directly inserted into the SQL query, creating a classic SQL injection vector. Such an injection can lead to unauthorized data disclosure, modification, or even control over the database, depending on the privileges of the database user. This particular SQL injection has a long reach, affecting WordPress versions going back to 6.8.
2. CVE-2026-63030: REST API Batch-Route Confusion
The second, and arguably more insidious, component is a novel batch-route confusion bug within WordPress’s REST API. This flaw is specific to the /wp-json/batch/v1 endpoint, which was introduced in WordPress 5.6 (2020) to allow clients to send multiple API requests in a single HTTP call, thereby improving performance and reducing overhead. The batch endpoint works by processing several "sub-requests" concurrently and tracks them using two parallel arrays. The vulnerability arises when an error occurs during the processing of one of these sub-requests. This error can desynchronize the parallel arrays, causing a subsequent sub-request to be processed by an incorrect handler – effectively, a request is executed under the context or logic of a different, unintended request. This "confusion" is critical because it allows an attacker to bypass the endpoint’s internal allow-list, which is designed to restrict which parameters can be accessed or modified through the batch API. By manipulating this confusion, an attacker can route arbitrary input, including malicious data, to otherwise protected or inaccessible parameters. This batch-route confusion bug is a newer introduction, present only in WordPress versions 6.9 and later.
The Chaining Effect: From Injection to RCE
The true power of wp2shell lies in how these two vulnerabilities are chained. The REST API batch-route confusion (CVE-2026-63030) serves as the "unauthenticated gateway." It allows an anonymous attacker to inject arbitrary data into the author__not_in parameter of WP_Query, even without a legitimate login or session. Once the batch-route confusion successfully bypasses authentication and input validation mechanisms, the SQL injection (CVE-2026-60137) takes over. The injected SQL payload can then be crafted to achieve remote code execution. This typically involves using database functions to write malicious PHP code to a file on the server, which can then be accessed and executed by the attacker, granting full control over the compromised website. This chaining is what elevates the threat from a high-severity SQL injection to a critical pre-authentication RCE.

Chronology of Discovery, Disclosure, and Patching
The timeline of the wp2shell vulnerability highlights the rapid pace of modern cybersecurity threats and the agile response required from software vendors.
- Discovery of Batch-Route Bug: The initial discovery of the REST API batch-route confusion (CVE-2026-63030) was made by Adam Kues, a security researcher at Assetnote, the attack surface management division of Searchlight Cyber. Kues responsibly reported his findings through WordPress’s official HackerOne bug bounty program, a common channel for security researchers to disclose vulnerabilities privately to vendors.
- Separate SQL Injection Discovery: Independently, the SQL injection (CVE-2026-60137) was reported by a separate group of researchers identified as TF1T, dtro, and haongo. This simultaneous discovery by different parties underscores the inherent discoverability of such flaws, especially in widely used open-source software.
- Coordinated Response and Patch Development: Upon receiving these reports, the WordPress core development team initiated a rapid response effort. Recognizing the severity of the chained vulnerabilities, they worked diligently to develop patches that would address both issues.
- Patch Release and Forced Updates: On Friday, July 17, 2026, WordPress released emergency security updates: version 6.9.5 for the 6.9 branch and 7.0.2 for the 7.0 branch. Additionally, version 6.8.6 was released to specifically address the SQL injection for earlier sites not susceptible to the full RCE chain. In an unprecedented move, WordPress leveraged its auto-update system to enable "forced updates," aiming to push the critical patches to as many sites as possible without user intervention, acknowledging the high risk of mass exploitation.
- Public Disclosure and PoC Availability: By Saturday, July 18, 2026, the full mechanism of the wp2shell attack was publicly disclosed. Searchlight Cyber published a write-up under the name "wp2shell," detailing the attack’s nature and impact. Crucially, a working proof-of-concept (PoC) exploit was also made public on GitHub, a common repository for code. While Searchlight Cyber initially exercised some reticence in publishing their full technical write-up to give users time to patch, the open-source nature of WordPress meant that other researchers quickly reverse-engineered the patches, making the exploit mechanism widely known shortly after the updates were released.
- CVE ID Assignment: The two vulnerabilities were officially assigned Common Vulnerabilities and Exposures (CVE) identifiers: CVE-2026-63030 for the REST API batch-route confusion and CVE-2026-60137 for the SQL injection in WordPress core.
Scope and Impact: A Global Threat
WordPress powers an astonishing proportion of the internet. Searchlight Cyber estimates that over 500 million websites run on WordPress, making it the most dominant content management system globally. This vast footprint means any critical vulnerability in its core can have far-reaching consequences.
Affected Versions and Exposure:
It’s crucial to differentiate between the total WordPress install base and the specific set of sites vulnerable to the full RCE chain.
- Full RCE Chain (6.9 and 7.0): The complete pre-authentication RCE chain, leveraging both the batch-route confusion and the SQL injection, affects WordPress versions 6.9 and 7.0. WordPress 6.9 was released on December 2, 2025, meaning that every site exposed to the code-execution path is running a relatively recent release, less than eight months old. Patches 6.9.5 and 7.0.2 address this full chain.
- SQL Injection Only (6.8 and earlier): Versions of WordPress from 6.8 backward are vulnerable to the SQL injection (CVE-2026-60137) but are not susceptible to the batch-route confusion (CVE-2026-63030) as it was introduced in 6.9. Therefore, a 6.8 site is not exploitable for RCE through this specific chain, though the SQL injection itself remains a significant threat. WordPress 6.8.6 specifically patches the SQL injection for these older versions.
- Future Versions: WordPress 7.1 beta2, currently in development, also carries both fixes, ensuring future releases are secure against this specific threat.
Severity Ratings and Discrepancies:
The severity of the vulnerabilities, as reflected in their scores, presents an interesting nuance.
- WordPress’s Advisory: The official WordPress advisory, hosted on GitHub, rates the entire RCE chain as "Critical." This aligns with the industry standard for vulnerabilities allowing unauthenticated remote code execution.
- CVE Record Scores: However, the official CVE record for the RCE chain (presumably CVE-2026-63030 when considered in isolation or with limited context) scores it 7.5, classifying it as "High" severity. This score primarily credits data access impact and does not fully account for the integrity or availability loss that typically accompanies code execution. Conversely, the SQL injection (CVE-2026-60137) alone receives a score higher than 9.1, classifying it as "Critical." This discrepancy highlights how individual components can be scored differently based on their direct impact, even when combined they form a more devastating attack. Security professionals are advised to track both CVEs closely and understand the combined threat, rather than relying solely on a single label or score.
Mitigating Factors and Challenges
While the threat is severe, certain factors can influence a site’s exposure, though none entirely negate the risk.
- Persistent Object Cache: One condition that potentially narrows the blast radius for the RCE path is the presence of a persistent object cache. Cloudflare, which promptly shipped Web Application Firewall (WAF) rules to protect its customers, noted that the code-execution path might only work when the site is not running a persistent object cache. Technologies like Redis or Memcached, when configured as a persistent object cache for WordPress, could inadvertently disrupt the exploit’s mechanics. However, this is a side effect of the cache’s operation, not an intentional security fix, and most default WordPress installations do not utilize a persistent object cache, leaving them fully exposed. Crucially, a persistent object cache would not mitigate the underlying SQL injection vulnerability.
- Forced Updates and User Responsibility: WordPress’s decision to implement "forced updates" demonstrates the urgency of the situation. However, it remains unclear whether these forced pushes reach sites that have explicitly disabled auto-updates. Many site administrators, particularly those managing complex environments or using custom configurations, opt out of automatic updates to maintain control over their update cycles and prevent potential compatibility issues. Therefore, site owners cannot assume the patch has landed and must actively verify the version of WordPress they are running. Manual inspection and immediate updating are the most reliable courses of action.
Industry Reactions and Defensive Measures
The security community’s response to wp2shell has been swift and coordinated, reflecting the gravity of the vulnerability.

- Security Vendors:
- Searchlight Cyber/Assetnote: As the initial discoverers of the batch-route bug, Searchlight Cyber and Assetnote played a crucial role in the responsible disclosure process. Their research led to the initial
wp2shellwrite-up and the provision of a checker tool atwp2shell.com, allowing site owners to quickly ascertain their vulnerability status. - Cloudflare: A major content delivery network and security provider, Cloudflare reacted immediately by deploying WAF rules to protect its vast customer base. Their insights into the persistent object cache condition provided valuable context for the broader security community.
- Rapid7: A prominent cybersecurity firm, Rapid7 announced that authenticated checks for its InsightVM and Nexpose vulnerability management solutions would be available by July 20. This allows organizations to scan their internal and external WordPress assets to identify vulnerable instances.
- Searchlight Cyber/Assetnote: As the initial discoverers of the batch-route bug, Searchlight Cyber and Assetnote played a crucial role in the responsible disclosure process. Their research led to the initial
- Government Agencies: As of July 18, the vulnerability had not yet been added to CISA’s (Cybersecurity and Infrastructure Security Agency) Known Exploited Vulnerabilities (KEV) Catalog. CISA typically lists vulnerabilities in this catalog only after confirmed exploitation in the wild. While this might offer a thin comfort, the rapid public availability of a PoC and the history of WordPress exploitation suggest that confirmed attacks are likely imminent.
- WordPress Core Team: The core team’s rapid patch development and deployment, including the controversial but necessary "forced updates," underscore their commitment to securing the platform. Their transparent advisory on GitHub, rating the RCE chain as Critical, also provided clear guidance to users.
Broader Implications and Lessons Learned
The wp2shell vulnerability serves as a stark reminder of the ongoing challenges in securing widely adopted software and highlights several critical lessons for the cybersecurity landscape.
The Scale of Mass Exploitation:
WordPress has historically been a prime target for mass exploitation due to its immense popularity and the diverse technical proficiency of its user base. The "WP-SHELLSTORM" campaign, which leveraged a caching-plugin flaw to compromise over 17,000 sites, demonstrated the efficiency of attackers. That particular bug, though public and patched, only worked on a non-default setting. In contrast, wp2shell is public, patched, and works on default WordPress installations, drastically increasing the potential for widespread compromise. This scenario creates a race against time: how quickly can patches reach sites before attackers leverage public exploits?
The Disclosure Dilemma:
The wp2shell incident perfectly illustrates the inherent tension in vulnerability disclosure. On one hand, responsible disclosure requires giving vendors time to develop and distribute patches before publicizing details. On the other hand, the open-source nature of platforms like WordPress means that once a patch is released, the "map to the bug" is essentially public. Security researchers can, and often do, reverse-engineer patches to understand the underlying vulnerability and develop exploits. WordPress’s swift patch release and forced update mechanism were strategic moves to pull the "lever" of patch deployment as hard as possible, hoping to outpace attackers. However, the subsequent rapid publication of the exploit mechanism by other researchers demonstrates the difficulty of controlling information in the open-source ecosystem.
User Responsibility and Proactive Security:
The incident underscores the critical importance of proactive security measures for all WordPress site owners.
- Verify Updates: Do not assume auto-updates have landed, especially if you have previously disabled them. Manually check your WordPress version and ensure you are running 6.9.5, 7.0.2, or 6.8.6.
- Implement Mitigations: While waiting for updates, consider implementing temporary mitigation strategies. Searchlight Cyber suggests measures to block anonymous callers from accessing the
/wp-json/batch/v1endpoint. These include:- Blocking access to
/wp-json/batch/v1at the network edge (WAF, CDN, Nginx, Apache). - Using WordPress’s
rest_api_batch_request_allowlistfilter to restrict endpoint access. - Implementing a hard block for the batch endpoint if not actively used.
These are stopgaps and may break legitimate integrations, so they are only viable until a full update can be applied.
- Blocking access to
- Monitor Traffic: Site administrators should actively monitor their web server logs for suspicious traffic targeting the
/wp-json/batch/v1endpoint. Anomalous requests, especially those from unfamiliar IP addresses or containing unusual payloads, could indicate an attempted exploitation. - Layered Security: The incident reinforces the need for a layered security approach, including robust WAFs, intrusion detection/prevention systems, and regular security audits.
The Future of WordPress Security:
As WordPress continues to evolve and introduce new features like the REST API batch endpoint, the attack surface expands. The wp2shell vulnerability highlights the need for continuous vigilance, rigorous security testing, and swift response mechanisms from the WordPress core team. It also emphasizes the collective responsibility of the broader security community and individual site owners to stay informed and act decisively.
In the wake of this critical disclosure, the cybersecurity community is closely watching two key metrics: WordPress’s version statistics, which will reveal how many sites successfully applied the patches, and scan traffic against /wp-json/batch/v1, which will indicate the level of attacker interest. Whichever curve proves steeper will ultimately determine how wp2shell is remembered in the annals of cybersecurity – as a near-miss averted by rapid action, or as another significant chapter in the ongoing saga of mass exploitation.







