Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    US charges two over laundering $43 million from investment fraud

    July 18, 2026

    The Future of Age Verification: Your Face Never Leaves Your Device

    July 18, 2026

    WordPress Core “wp2shell” RCE flaws get public exploits, patch now

    July 18, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»WordPress Core “wp2shell” RCE flaws get public exploits, patch now
    News

    WordPress Core “wp2shell” RCE flaws get public exploits, patch now

    adminBy adminJuly 18, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    WordPress

    Public exploits have been released for the critical “wp2shell” remote code execution vulnerabilities affecting WordPress Core, making it imperative that administrators patch their sites immediately.

    The wp2shell attack consists of two flaws, tracked as CVE-2026-63030 and CVE-2026-60137, that can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x.

    The flaws were discovered by Adam Kues of Searchlight Cyber, which says an unauthenticated attacker can exploit them against a default WordPress installation.

    image

    “Searchlight Cyber’s security research team has discovered a pre-authentication RCE in WordPress Core,” explained Searchlight Cyber.

    “The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.”

    Searchlight Cyber estimates that more than 500 million websites use WordPress, giving the vulnerability a potentially massive impact, especially now that public proof-of-concept exploits have been released.

    Due to the severity of the vulnerabilities, the WordPress security team has enabled forced automatic security updates for supported installations running affected versions, urging site owners to update to WordPress 7.0.2 or 6.9.5 immediately.

    “Because this is a security release, it is recommended that you update your sites immediately,” WordPress said in its security announcement.

    “Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions.”

    The issue is not a single vulnerability but rather two independent flaws that can be combined into an unauthenticated remote code execution chain.

    The first flaw, CVE-2026-63030, is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. According to the GitHub advisory, the flaw can be combined with the SQL injection issue to achieve remote code execution.

    The second vulnerability, CVE-2026-60137, is an SQL injection flaw in the ‘author__not_in‘ parameter of ‘WP_Query'. WordPress describes it as a high-severity SQL injection vulnerability affecting WordPress 6.8 and later.

    According to the WordPress advisories, the complete RCE chain affects WordPress 6.9.0 through 6.9.4 and WordPress 7.0.0 through 7.0.1.

    The SQL injection vulnerability also affects WordPress 6.8.0 through 6.8.5, but cannot be chained to remote code execution because the REST API batch-route confusion bug was added in WordPress 6.9.

    The full wp2shell attack chain has been fixed in WordPress 6.9.5 and 7.0.2.

    Searchlight Cyber is currently withholding technical details to give administrators time to patch, instead creating the wp2shell.com website, which allows admins to test whether their WordPress installations are vulnerable.

    For organizations unable to immediately update, Searchlight Cyber recommends:

    • Installing a plugin that blocks anonymous access to the REST API entirely; or
    • Blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level.

    The company warns these mitigations should only be used as a temporary measure until systems can be updated.

    Cloudflare also announced that it has deployed Web Application Firewall (WAF) protections for both vulnerabilities across all plans, including free accounts, that are proxied behind its platform.

    According to Cloudflare, the rules block attempts to exploit both the SQL injection flaw (CVE-2026-60137) and the REST API batch-route confusion vulnerability (CVE-2026-63030).

    “WAF protections reduce exposure while customers update, but they are not a substitute for patching,” Cloudflare said.

    Public PoC exploits released

    While Searchlight Cyber delayed releasing technical details to give administrators time to patch, multiple public proof-of-concept exploits have since been published on GitHub.

    Some publicly available exploits combine the two vulnerabilities to extract WordPress password hashes via SQL injection, then crack an administrator password to log in, upload a malicious plugin, and execute commands.

    However, other proof-of-concept exploits claim to achieve pre-authentication remote code execution without requiring administrator credentials, which is more in line with Searchlight Cyber’s description of the flaws.

    BleepingComputer has contacted Searchlight Cyber to confirm that its attack chain does not require an administrator password.

    Security firm watchTowr says it has already seen in-the-wild exploitation after the public exploits were released.

    “WordPress gets a bad rap for security. But the reality is that a highly impactful, unauthenticated SQL injection or remote code execution vulnerability in WordPress core is actually fairly rare,” watchTowr CEO Benjamin Harris told BleepingComputer via email.

    “That is exactly what makes this one different, and why everyone is scrambling to patch before widespread exploitation takes hold. The watchTowr team is already seeing PoC exploits in circulation, and we are beginning to see the first signs of in-the-wild exploitation.”

    Given the availability of public proof-of-concept exploits and the first reported signs of in-the-wild exploitation, administrators should ensure their sites are updated to WordPress 7.0.2 or 6.9.5 as soon as possible.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleUpdate now: 7-Zip fixes RCE flaw exploitable with malicious archives
    Next Article The Future of Age Verification: Your Face Never Leaves Your Device
    admin
    • Website

    Related Posts

    News

    US charges two over laundering $43 million from investment fraud

    July 18, 2026
    News

    The Future of Age Verification: Your Face Never Leaves Your Device

    July 18, 2026
    News

    Update now: 7-Zip fixes RCE flaw exploitable with malicious archives

    July 18, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Our Picks

    US charges two over laundering $43 million from investment fraud

    July 18, 2026

    The Future of Age Verification: Your Face Never Leaves Your Device

    July 18, 2026

    WordPress Core “wp2shell” RCE flaws get public exploits, patch now

    July 18, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.