Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical wp2shell RCE Vulnerability in WordPress Patched
July 18, 2026
Critical OpenSSL Vulnerability CVE-2023-5678 Exposes Servers to DoS Attacks
July 17, 2026
EY Data Breach: Attackers Access IT Support, Download Documents
July 17, 2026
Home/CyberSecurity News/Critical wp2shell RCE Vulnerability in WordPress Patched
CyberSecurity News

Critical wp2shell RCE Vulnerability in WordPress Patched

Key Takeaways A critical pre-authentication RCE vulnerability, dubbed “wp2shell,” has been discovered in WordPress Core. The flaw allows unauthenticated attackers to fully compromise over...

Emy Elsamnoudy
Emy Elsamnoudy
July 18, 2026 3 Min Read
3 0

Key Takeaways

  • A critical pre-authentication RCE vulnerability, dubbed “wp2shell,” has been discovered in WordPress Core.
  • The flaw allows unauthenticated attackers to fully compromise over 500 million WordPress websites without requiring plugins or special configurations.
  • Affected versions include WordPress 6.9.0-6.9.4, 7.0.0-7.0.1, and 7.1 beta.
  • WordPress has released urgent patches in versions 7.0.2, 6.9.5, and 6.8.6, with automatic updates being pushed to affected sites.

Critical wp2shell RCE Vulnerability in WordPress Patched

A severe pre-authentication remote code execution (RCE) vulnerability, identified as “wp2shell,” has been found within the core components of WordPress, threatening hundreds of millions of websites globally. This critical flaw permits unauthenticated attackers to gain complete control over vulnerable WordPress installations.

Table Of Content

  • Key Takeaways
  • Critical wp2shell RCE Vulnerability in WordPress Patched
  • Understanding the wp2shell Threat
  • Affected WordPress Versions and Patches
  • What You Should Do

The discovery was made by Adam Kues, a security researcher with Searchlight Cyber’s Assetnote team. Kues pinpointed a REST API batch-route confusion issue that could be chained with an SQL injection to achieve remote code execution. This vulnerability stands out due to its simplicity of exploitation, requiring no prior authentication or specific website configurations, making it a significant threat to default WordPress setups.

Understanding the wp2shell Threat

The “wp2shell” vulnerability is particularly dangerous because it bypasses common attack prerequisites. An attacker does not need user credentials, a vulnerable third-party plugin, or any unique site settings to compromise a target. The only requirement is a WordPress instance running an affected version that is accessible over the internet.

Recognizing the gravity of this bug, Searchlight Cyber withheld technical exploit details to allow website owners sufficient time to apply patches. Concurrently, they launched a free public scanner at wp2shell[.]com, empowering administrators to verify their site’s vulnerability status.

Affected WordPress Versions and Patches

The vulnerability spans a specific range of WordPress Core releases and is cataloged under two CVE identifiers: CVE-2026-60137, which also covers a separate SQL injection issue, and CVE-2026-63030, which specifically refers to the batch-route RCE flaw identified by Kues.

WordPress version range Status
6.8.5 and earlier Not affected
6.9.0 – 6.9.4 Affected
7.0.0 – 7.0.1 Affected
7.1 beta (pre-release) Affected

It is important to note that the WordPress 6.8 branch is susceptible only to the SQL injection component (CVE-2026-60137) and not the full RCE chain. A fix for this has been backported to version 6.8.6.

In response to this critical vulnerability, WordPress.org has shipped version 7.0.2, which includes fixes for both the RCE and the high-severity SQL injection. Corresponding backported fixes have also been released in versions 6.9.5 and 6.8.6. Due to the extreme severity, the WordPress.org team has taken the unprecedented step of force-pushing this update through the auto-update system to all affected sites, bypassing the usual manual update process for administrators.

Site owners can also manually update their installations via the WordPress Dashboard by navigating to the “Updates” section and clicking “Update Now,” or by downloading the latest release directly from WordPress.org.

The WordPress security team acknowledged the contributions of multiple researchers: TF1T, dtro, and haongo for their joint report on the SQL injection issue, and Adam Kues for his independent discovery of the REST API batch-route RCE chain.

What You Should Do

  • Update Immediately: Ensure your WordPress installation is running version 7.0.2, 6.9.5, 6.8.6, or newer. While auto-updates are being pushed, manual verification is highly recommended.
  • Utilize the Scanner: Check your site’s vulnerability status using the free public scanner available at wp2shell[.]com.
  • Temporary Mitigations (if immediate update is impossible):
    • Install a plugin that completely blocks anonymous access to the REST API.
    • Block the /wp-json/batch/v1 and ?rest_route=/batch/v1 endpoints at your Web Application Firewall (WAF) level.
    • Treat these workarounds as strictly temporary until the official patch is applied.
  • Prioritize Patching: Given the widespread use of WordPress and the ease of exploitation, immediate patching is crucial. Relying on temporary workarounds is strongly discouraged as a long-term solution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical OpenSSL Vulnerability CVE-2023-5678 Exposes Servers to DoS Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AWS Cost Explorer Bug Exposes Trillion-Dollar Billing Estimates
July 17, 2026
Critical Windows LegacyHive 0-Day Lets Attackers Gain Admin Access
July 17, 2026
ClickLock macOS Stealer Kills Apps, Forces Password Entry
July 17, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us