Critical wp2shell RCE Vulnerability in WordPress Patched
Key Takeaways A critical pre-authentication RCE vulnerability, dubbed “wp2shell,” has been discovered in WordPress Core. The flaw allows unauthenticated attackers to fully compromise over...
Key Takeaways
- A critical pre-authentication RCE vulnerability, dubbed “wp2shell,” has been discovered in WordPress Core.
- The flaw allows unauthenticated attackers to fully compromise over 500 million WordPress websites without requiring plugins or special configurations.
- Affected versions include WordPress 6.9.0-6.9.4, 7.0.0-7.0.1, and 7.1 beta.
- WordPress has released urgent patches in versions 7.0.2, 6.9.5, and 6.8.6, with automatic updates being pushed to affected sites.
Critical wp2shell RCE Vulnerability in WordPress Patched
A severe pre-authentication remote code execution (RCE) vulnerability, identified as “wp2shell,” has been found within the core components of WordPress, threatening hundreds of millions of websites globally. This critical flaw permits unauthenticated attackers to gain complete control over vulnerable WordPress installations.
Table Of Content
The discovery was made by Adam Kues, a security researcher with Searchlight Cyber’s Assetnote team. Kues pinpointed a REST API batch-route confusion issue that could be chained with an SQL injection to achieve remote code execution. This vulnerability stands out due to its simplicity of exploitation, requiring no prior authentication or specific website configurations, making it a significant threat to default WordPress setups.
Understanding the wp2shell Threat
The “wp2shell” vulnerability is particularly dangerous because it bypasses common attack prerequisites. An attacker does not need user credentials, a vulnerable third-party plugin, or any unique site settings to compromise a target. The only requirement is a WordPress instance running an affected version that is accessible over the internet.
Recognizing the gravity of this bug, Searchlight Cyber withheld technical exploit details to allow website owners sufficient time to apply patches. Concurrently, they launched a free public scanner at wp2shell[.]com, empowering administrators to verify their site’s vulnerability status.
Affected WordPress Versions and Patches
The vulnerability spans a specific range of WordPress Core releases and is cataloged under two CVE identifiers: CVE-2026-60137, which also covers a separate SQL injection issue, and CVE-2026-63030, which specifically refers to the batch-route RCE flaw identified by Kues.
| WordPress version range | Status |
|---|---|
| 6.8.5 and earlier | Not affected |
| 6.9.0 – 6.9.4 | Affected |
| 7.0.0 – 7.0.1 | Affected |
| 7.1 beta (pre-release) | Affected |
It is important to note that the WordPress 6.8 branch is susceptible only to the SQL injection component (CVE-2026-60137) and not the full RCE chain. A fix for this has been backported to version 6.8.6.
In response to this critical vulnerability, WordPress.org has shipped version 7.0.2, which includes fixes for both the RCE and the high-severity SQL injection. Corresponding backported fixes have also been released in versions 6.9.5 and 6.8.6. Due to the extreme severity, the WordPress.org team has taken the unprecedented step of force-pushing this update through the auto-update system to all affected sites, bypassing the usual manual update process for administrators.
Site owners can also manually update their installations via the WordPress Dashboard by navigating to the “Updates” section and clicking “Update Now,” or by downloading the latest release directly from WordPress.org.
The WordPress security team acknowledged the contributions of multiple researchers: TF1T, dtro, and haongo for their joint report on the SQL injection issue, and Adam Kues for his independent discovery of the REST API batch-route RCE chain.
What You Should Do
- Update Immediately: Ensure your WordPress installation is running version 7.0.2, 6.9.5, 6.8.6, or newer. While auto-updates are being pushed, manual verification is highly recommended.
- Utilize the Scanner: Check your site’s vulnerability status using the free public scanner available at wp2shell[.]com.
- Temporary Mitigations (if immediate update is impossible):
- Install a plugin that completely blocks anonymous access to the REST API.
- Block the
/wp-json/batch/v1and?rest_route=/batch/v1endpoints at your Web Application Firewall (WAF) level. - Treat these workarounds as strictly temporary until the official patch is applied.
- Prioritize Patching: Given the widespread use of WordPress and the ease of exploitation, immediate patching is crucial. Relying on temporary workarounds is strongly discouraged as a long-term solution.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.