WordPress core pre-auth RCE | No login needed to get a shell, 500M+ sites affected
TL;DR
Researcher Adam Kues disclosed a WordPress core pre-auth RCE, "wp2shell" (CVE-2026-63030), that runs code without login; it hits 500M+ sites and is patched in 7.0.2/6.9.5.
Searchlight Cyber researcher Adam Kues disclosed a pre-auth RCE in WordPress core, dubbed wp2shell (CVE-2026-63030). An anonymous user, with no preconditions and no plugins, can run code remotely on a stock WordPress install. The open-source CMS powers more than 40% of all websites, so an estimated 500M+ sites are exposed.
The bug chains two flaws. The first is a route confusion in the REST API's
Affected versions are 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The flawed code only exists from 6.9 onward, which shipped December 2, 2025 — older sites actually dodged it. WordPress released 7.0.2 (and 6.9.5 on the 6.9 branch) on July 17, a security batch fixing one critical and one high-severity issue.
Full technical details are being held back, but a detection PoC is already on GitHub. Admins who can't update immediately can block the hole temporarily: install the Disable WP REST API plugin to shut off unauthenticated API access, or use a WAF to block requests to
Update to 7.0.2 or 6.9.5 now. There's no alternative.
via The Hacker News / Searchlight Cyber / wp2shell
The bug chains two flaws. The first is a route confusion in the REST API's
/wp-json/batch/v1 endpoint (CVE-2026-63030); the second is a SQL injection in WP_Query's author__not_in parameter (CVE-2026-60137). The path: hit the batch route unauthenticated → route confusion bypasses auth → trigger the WP_Query SQLi → run code and get a shell.Affected versions are 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The flawed code only exists from 6.9 onward, which shipped December 2, 2025 — older sites actually dodged it. WordPress released 7.0.2 (and 6.9.5 on the 6.9 branch) on July 17, a security batch fixing one critical and one high-severity issue.
Full technical details are being held back, but a detection PoC is already on GitHub. Admins who can't update immediately can block the hole temporarily: install the Disable WP REST API plugin to shut off unauthenticated API access, or use a WAF to block requests to
/wp-json/batch/v1.Update to 7.0.2 or 6.9.5 now. There's no alternative.
via The Hacker News / Searchlight Cyber / wp2shell
