Public exploits have been released for the critical “wp2shell” remote code execution vulnerabilities affecting WordPress Core, making it imperative that administrators patch their sites immediately. The wp2shell attack consists of two flaws, tracked as CVE-2026-63030 and CVE-2026-60137, that can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x.
The flaws were discovered by Adam Kues of Searchlight Cyber, which says an unauthenticated attacker can exploit them against a default WordPress installation. “Searchlight Cyber’s security research team has discovered a pre-authentication RCE in WordPress Core,” explained Searchlight Cyber. “The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.”
Searchlight Cyber estimates that more than 500 million websites use WordPress, giving the vulnerability a potentially massive impact, especially now that public proof-of-concept exploits have been released.
Vulnerability Details
The issue is not a single vulnerability but rather two independent flaws that can be combined into an unauthenticated remote code execution chain. The first flaw, CVE-2026-63030, is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. According to the GitHub advisory, the flaw can be combined with the SQL injection issue to achieve remote code execution.
The second vulnerability, CVE-2026-60137, is an SQL injection flaw in the ‘author__not_in’ parameter of ‘WP_Query’. WordPress describes it as a high-severity SQL injection vulnerability affecting WordPress 6.8 and later.
Patching and Mitigation
Due to the severity of the vulnerabilities, the WordPress security team has enabled forced automatic security updates for supported installations running affected versions, urging site owners to update to WordPress 7.0.2 or 6.9.5 immediately.
For organizations unable to immediately update, Searchlight Cyber recommends: Installing a plugin that blocks anonymous access to the REST API entirely; or Blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level. The company warns these mitigations should only be used as a temporary measure until systems can be updated.
Cloudflare's Protection
Cloudflare has deployed Web Application Firewall (WAF) protections for both vulnerabilities across all plans, including free accounts, that are proxied behind its platform. According to Cloudflare, the rules block attempts to exploit both the SQL injection flaw (CVE-2026-60137) and the REST API batch-route confusion vulnerability (CVE-2026-63030).
In-the-Wild Exploitation
Security firm watchTowr says it has already seen in-the-wild exploitation after the public exploits were released. “WordPress gets a bad rap for security,” said watchTowr CEO Benjamin Harris. “But the reality is that a highly impactful, unauthenticated SQL injection or remote code execution vulnerability in WordPress core is actually fairly rare.”
Conclusion
Given the availability of public proof-of-concept exploits and the first reported signs of in-the-wild exploitation, administrators should ensure their sites are updated to WordPress 7.0.2 or 6.9.5 as soon as possible.
Source: Original article