An alarming vulnerability has been discovered in WordPress, exposing millions of sites to potential code execution by unauthorized users. Known as the wp2shell flaw, this issue affects all installations from versions 6.9 to 7.0.1. The vulnerability was identified by Adam Kues of Assetnote and reported via WordPress’s HackerOne program.
Details of the WordPress Vulnerability
The flaw allows an anonymous HTTP request to execute code on a WordPress site without any plugins. On July 17, 2026, WordPress released versions 6.9.5 and 7.0.2, which address this issue by enabling forced updates through its automatic update system. These updates are critical for securing sites running affected versions.
Despite the update, WordPress has not confirmed whether sites with automatic updates disabled received this fix. Users are urged to verify their current version rather than assuming the update has been applied.
Implications for WordPress Users
Searchlight Cyber’s analysis suggests that over 500 million websites utilize WordPress. However, the vulnerability only affects installations from version 6.9 onward, released in December 2025. The flaw stems from a REST API batch-route confusion and an SQL injection issue, leading to potential remote code execution.
WordPress has updated specific files in version 7.0.2 to resolve these issues. Although the batch endpoint has been part of WordPress since version 5.6, the changes in 6.9 introduced the vulnerability. Without a CVE ID or CVSS score, tracking this flaw relies on version numbers, complicating the identification process for cybersecurity tools.
Protecting Your Website
For those unable to update immediately, Searchlight offers temporary solutions to mitigate risk. These include blocking specific API endpoints via a web application firewall (WAF), disabling the WP REST API, or using a plugin to reject anonymous requests. However, these measures may disrupt legitimate site functions.
No exploitation attempts have been detected as of July 18, 2026. Yet, the fast-paced nature of cyber threats means that site owners must act quickly to secure their sites and prevent potential attacks.
In the open-source community, releasing a fix inherently reveals the vulnerability it addresses. As such, timely updates are essential to protect sites before malicious actors exploit the newfound knowledge.
WordPress’s swift release of updates demonstrates the platform’s commitment to security. Monitoring traffic and update statistics will reveal the effectiveness of these measures in preempting attacks.
