wp2shell: Critical WordPress RCE Chain Exposed, Patch Rolling Out
A critical pre-authentication Remote Code Execution (RCE) vulnerability, dubbed **wp2shell**, has been discovered in **WordPress** core, affecting versions 6.9 and 7.0. The exploit chain, consisting of two distinct flaws (**CVE-2026-63030** and **CVE-2026-60137**), allows anonymous attackers to execute arbitrary code on unpatched sites. While patches have been released, the widespread nature of **WordPress** installations means many sites remain vulnerable.

An anonymous HTTP request can now lead to code execution on **WordPress** sites. This critical vulnerability, dubbed **wp2shell**, resides within the **WordPress** core, making even bare installations with no plugins exploitable.
### The Dual Vulnerability: CVE-2026-63030 and CVE-2026-60137
**wp2shell** is a chain of two distinct vulnerabilities. **CVE-2026-63030** addresses a REST API batch-route confusion, while **CVE-2026-60137** is a SQL injection flaw in **WordPress** core. Chained together, these bugs allow an unauthenticated request to achieve full code execution.
**Adam Kues** at **Assetnote**, the attack surface management division of **Searchlight Cyber**, discovered the batch-route confusion bug and reported it via **WordPress**'s **HackerOne** program. The **SQL injection** was reported separately by **TF1T**, **dtro**, and **haongo**.
### Affected Versions and Patches
**WordPress** moved swiftly to release patches, shipping versions 6.9.5 and 7.0.2 and enabling forced updates through its auto-update system. The vulnerability impact varies by version:
* **6.8.0 through 6.8.5**: SQL injection only, fixed in 6.8.6.
* **6.9.0 through 6.9.4**: Full RCE chain, fixed in 6.9.5.
* **7.0.0 through 7.0.1**: Full RCE chain, fixed in 7.0.2.
**WordPress 7.1 beta2** also incorporates both fixes. Notably, older 6.8 sites are not susceptible to the full RCE chain via this method.
It is crucial for administrators to verify their current **WordPress** version, as it's unclear whether forced updates reach sites with auto-updates explicitly disabled.
### Technical Breakdown of the Exploit
The exploit chain leverages two key weaknesses:
1. **SQL Injection in WP_Query**: The injection occurs in the `author__not_in` parameter of `WP_Query`. By providing a string instead of an expected array, the validation check is bypassed, allowing the raw value to be inserted into the SQL query.
2. **REST API Batch-Route Confusion**: The `/wp-json/batch/v1` route, designed to execute multiple sub-requests, contains an error in how it tracks these requests. An error in one sub-request can desynchronize the internal arrays, causing a request to be processed by an unintended handler. This confusion allows an attacker to bypass endpoint allow-lists and inject malicious input into the vulnerable SQL query, all without authentication.
While the batch endpoint has existed since **WordPress 5.6**, the specific confusion that enables this exploit is new to version 6.9.
### Scoring Discrepancies and Impact
**WordPress**'s own advisory rates the RCE chain as Critical. However, its **CVE** record assigns a score of 7.5 (High), primarily crediting data access rather than the integrity or availability loss typically associated with code execution. The SQL injection alone, when scored independently, receives a Critical rating exceeding 9.1. Security professionals should track both **CVE-2026-63030** and **CVE-2026-60137** closely.
### The Role of Persistent Object Caches
One factor that may limit the blast radius is the presence of a persistent object cache. According to **Cloudflare**, which has deployed WAF rules to mitigate the threat, the code execution path functions only when a site is *not* running such a cache. Default **WordPress** installations do not have a persistent object cache, meaning they remain exposed. Sites using solutions like **Redis** or **Memcached** as a persistent object cache might be immune to the RCE component, but this does not protect against the underlying SQL injection.
### The Race Against Mass Exploitation
With **CVE IDs** assigned and a working proof-of-concept now public on **GitHub**, the window for unpatched sites is rapidly closing. **Rapid7** anticipates authenticated checks for **InsightVM** and **Nexpose** by July 20. While the vulnerability is not yet on **CISA**'s **Known Exploited Vulnerabilities (KEV) catalog**, a lack of reported exploitation does not guarantee safety.
Mass exploitation of **WordPress** vulnerabilities is a well-established threat. The ease of exploitation for **wp2shell** β requiring no authentication and working on default configurations β makes it particularly dangerous.
### Immediate Mitigation Strategies
For sites that cannot immediately update, **Searchlight Cyber** suggests several temporary mitigations, all aimed at blocking anonymous access to the batch endpoint:
* **Web Application Firewall (WAF)**: Block requests to both `/wp-json/batch/v1` and `rest_route=/batch/v1`. **Cloudflare**'s managed WAF is already blocking this chain for its users.
* **Disable WP REST API Plugin**: This plugin disables unauthenticated **REST API** access entirely.
* **Custom Drop-in Plugin**: **Searchlight** has published a small plugin that rejects anonymous `/batch/v1` requests at `rest_pre_dispatch`.
These are stopgap measures and may interfere with legitimate integrations. The ultimate solution remains a prompt update to a patched **WordPress** version.