3 min read

WordPress wp2shell RCE Exploits Are Now Public

Public exploits target WordPress wp2shell flaws. Update sites to WordPress 7.0.2 or 6.9.5 immediately.

Image: BleepingComputer

Public proof-of-concept exploits are now available for the critical “wp2shell” remote code execution vulnerabilities in WordPress Core. Administrators should update immediately: the flaws can be chained to enable pre-authentication RCE on default WordPress installations running versions 6.9.x and 7.0.x.

Searchlight Cyber researcher Adam Kues discovered the vulnerabilities. The company says the attack requires no plugins, configuration changes, or authentication and can be carried out by an anonymous user against a stock installation.

“Searchlight Cyber’s security research team has discovered a pre-authentication RCE in WordPress Core. The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.”

Searchlight Cyber

Searchlight Cyber estimates that more than 500 million websites use WordPress, increasing the potential impact now that public exploits are circulating. WordPress has enabled forced automatic security updates for supported installations running affected versions.

Recommended reading

7-Zip 26.02 Patches XZ Code-Execution Flaw

“Because this is a security release, it is recommended that you update your sites immediately. Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions.”

WordPress

The two vulnerabilities behind wp2shell

The attack is built from two separate flaws:

  • CVE-2026-63030: A REST API batch-route confusion vulnerability introduced in WordPress 6.9. The GitHub advisory says it can be combined with the SQL injection flaw to achieve RCE.
  • CVE-2026-60137: A high-severity SQL injection vulnerability in the author__not_in parameter of WP_Query, affecting WordPress 6.8 and later.

The complete RCE chain affects WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The SQL injection flaw also affects 6.8.0 through 6.8.5, but those versions cannot be chained to RCE because the REST API vulnerability was introduced in WordPress 6.9.

The chain is fixed in WordPress 6.9.5 and 7.0.2. Searchlight Cyber is withholding technical details to give administrators time to patch, but it has launched wp2shell.com, where site owners can test whether their installations are vulnerable.

Temporary mitigations and active exploitation

For organizations that cannot update immediately, Searchlight Cyber recommends either installing a plugin that blocks anonymous REST API access or blocking these paths at the web application firewall level:

  • /wp-json/batch/v1
  • ?rest_route=/batch/v1

The company says these measures are temporary and should not replace patching. Cloudflare has also deployed WAF protections for both vulnerabilities across all plans, including free accounts, for sites proxied through its platform.

“WAF protections reduce exposure while customers update, but they are not a substitute for patching.”

Cloudflare

Several GitHub proof-of-concept exploits combine the flaws to extract WordPress password hashes, crack an administrator password, upload a malicious plugin, and execute commands. Other PoCs claim pre-authentication RCE without administrator credentials. BleepingComputer contacted Searchlight Cyber to confirm whether its attack chain requires a password.

Security firm watchTowr says it has already observed exploitation in the wild following the release of the public exploits.

“WordPress gets a bad rap for security. But the reality is that a highly impactful, unauthenticated SQL injection or remote code execution vulnerability in WordPress core is actually fairly rare. That is exactly what makes this one different, and why everyone is scrambling to patch before widespread exploitation takes hold. The watchTowr team is already seeing PoC exploits in circulation, and we are beginning to see the first signs of in-the-wild exploitation.”

Benjamin Harris, CEO, watchTowr

Administrators should update affected sites to WordPress 7.0.2 or 6.9.5 as soon as possible.

Article image
Article image
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

/ Keep reading