Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical wp2shell RCE Vulnerability Threatens WordPress Sites

Critical wp2shell RCE Vulnerability Threatens WordPress Sites

Posted on July 18, 2026 By CWS

A newly discovered pre-authentication remote code execution (RCE) vulnerability, termed “wp2shell,” is posing a serious threat to over 500 million WordPress sites. This vulnerability could allow unauthenticated attackers to fully compromise affected websites.

Adam Kues from Searchlight Cyber’s Assetnote research team identified this flaw. It arises from a REST API batch-route confusion, leading to an SQL injection that can ultimately result in remote code execution.

Understanding the wp2shell Threat

The wp2shell vulnerability stands out due to its lack of prerequisites for exploitation. Attackers can target any standard WordPress installation without needing credentials, vulnerable plugins, or specific configurations.

In response to the risk level, Searchlight Cyber has restrained from sharing technical exploit details to allow site owners the opportunity to secure their systems. They have, however, provided a free scanner at wp2shell[.]com for checking site vulnerability.

WordPress Versions at Risk

The vulnerability affects specific WordPress Core versions, noted under CVE-2026-60137 and CVE-2026-63030. Versions 6.9.0 to 6.9.4, 7.0.0 to 7.0.1, and the 7.1 beta are vulnerable.

WordPress 6.8 is only affected by the SQL injection aspect (CVE-2026-60137), and a fix has been issued in version 6.8.6. WordPress.org has released version 7.0.2 with backported fixes in 6.9.5 and 6.8.6 to address both the RCE and SQL injection vulnerabilities.

Immediate Actions and Recommendations

Due to the critical nature of wp2shell, the WordPress.org team has implemented a force-push update via the auto-update system to ensure affected sites are patched promptly.

Site administrators can also manually update through the WordPress Dashboard or by downloading the update directly from WordPress.org. For those unable to update immediately, temporary measures include blocking anonymous REST API access or specific endpoints at the WAF level, though these may hinder site functionality.

With WordPress’s vast user base and the ease of exploit without plugins, immediate patching is prioritized over temporary workarounds to secure sites from potential attacks.

Strengthen your Security Operations Center (SOC) by leveraging tools like ANY.RUN for enhanced threat detection and rapid response.

Cyber Security News Tags:cyber threat, Cybersecurity, emergency patch, RCE vulnerability, REST API, security update, site protection, software vulnerability, SQL injection, website security, WordPress core, WordPress patch, WordPress security, wp2shell

Post navigation

Previous Post: AI Tool Revolutionizes Automated Penetration Testing

Related Posts

SafePay Ransomware Infected 260+ Victims Across Multiple Countries SafePay Ransomware Infected 260+ Victims Across Multiple Countries Cyber Security News
Phishing Campaign Targets Microsoft Teams via Compromised Sites Phishing Campaign Targets Microsoft Teams via Compromised Sites Cyber Security News
AppSuite PDF Editor Hacked to Execute Arbitrary Commands on The Infected System AppSuite PDF Editor Hacked to Execute Arbitrary Commands on The Infected System Cyber Security News
Massive DDoS Attack Evades Detection Using 1.2M IPs Massive DDoS Attack Evades Detection Using 1.2M IPs Cyber Security News
New Lawsuit Claims that Meta Can Read All the WhatsApp Users Messages New Lawsuit Claims that Meta Can Read All the WhatsApp Users Messages Cyber Security News
Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical wp2shell RCE Vulnerability Threatens WordPress Sites
  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution
  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical wp2shell RCE Vulnerability Threatens WordPress Sites
  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution
  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark