WordPress RCE Flaws Exploit Public, Urge Immediate Patch
Public exploits are now available for critical "wp2shell" remote code execution flaws in WordPress Core. Users are urged to update immediately to versions 7.0.2 or 6.9.5.

Publicly available exploits have emerged for critical remote code execution vulnerabilities in WordPress Core, dubbed "wp2shell," prompting urgent calls for administrators to patch their websites. The two chained flaws, identified as CVE-2026-63030 and CVE-2026-60137, enable unauthenticated attackers to execute arbitrary code on WordPress installations running versions 6.9.x and 7.0.x.
The vulnerabilities were discovered by Adam Kues of Searchlight Cyber. According to the firm, the attack requires no preconditions and can be exploited by an anonymous user on a default WordPress installation without any plugins. With an estimated 500 million websites utilizing WordPress, the potential impact of these flaws is vast, especially with the release of public proof-of-concept exploits. In response, the WordPress security team has activated forced automatic security updates for affected, supported installations, strongly advising users to update to WordPress 7.0.2 or 6.9.5 without delay. "Because this is a security release, it is recommended that you update your sites immediately," WordPress stated in its security advisory. "Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions."
The complete attack chain involves two distinct vulnerabilities. The first, CVE-2026-63030, is a REST API batch-route confusion flaw introduced in WordPress 6.9. This can be combined with a SQL injection issue to achieve remote code execution. The second vulnerability, CVE-2026-60137, is a high-severity SQL injection flaw affecting the 'author__not_in' parameter in 'WP_Query,' impacting WordPress 6.8 and later versions. While the SQL injection flaw alone affects WordPress 6.8.0 through 6.8.5, the full RCE chain specifically targets WordPress 6.9.0 through 6.9.4 and WordPress 7.0.0 through 7.0.1. The combined exploit is fixed in WordPress 6.9.5 and 7.0.2.
Mitigation and Exploitation
While Searchlight Cyber initially withheld technical details to allow administrators time to patch, multiple public proof-of-concept exploits have since appeared on platforms like GitHub. These exploits have been observed combining the two vulnerabilities. Some leverage the SQL injection to extract WordPress password hashes, which can then be used to crack administrator credentials, upload malicious plugins, and execute commands. Other proof-of-concept exploits reportedly achieve pre-authentication remote code execution, aligning with Searchlight Cyber's initial assessment.
For organizations unable to update immediately, Searchlight Cyber suggests temporary workarounds: installing a plugin that blocks anonymous access to the REST API or blocking the paths /wp-json/batch/v1 and ?rest_route=/batch/v1 at a Web Application Firewall (WAF) level. However, the company emphasizes these are temporary measures until full patching can be implemented. Cloudflare has already deployed WAF protections for both vulnerabilities across all its plans, including free accounts, for sites proxied through its service. "WAF protections reduce exposure while customers update, but they are not a substitute for patching," Cloudflare noted.
Security firm watchTowr reported observing in-the-wild exploitation shortly after the public exploits were released. "WordPress gets a bad rap for security. But the reality is that a highly impactful, unauthenticated SQL injection or remote code execution vulnerability in WordPress core is actually fairly rare," said watchTowr CEO Benjamin Harris. "That is exactly what makes this one different, and why everyone is scrambling to patch before widespread exploitation takes hold. The watchTowr team is already seeing PoC exploits in circulation, and we are beginning to see the first signs of in-the-wild exploitation." Given the widespread availability of exploits and initial reports of active exploitation, updating to WordPress 7.0.2 or 6.9.5 is critical for all site administrators.
