A newly discovered pre-authentication remote code execution (RCE) vulnerability, termed âwp2shell,â is posing a serious threat to over 500 million WordPress sites. This vulnerability could allow unauthenticated attackers to fully compromise affected websites.
Adam Kues from Searchlight Cyber’s Assetnote research team identified this flaw. It arises from a REST API batch-route confusion, leading to an SQL injection that can ultimately result in remote code execution.
Understanding the wp2shell Threat
The wp2shell vulnerability stands out due to its lack of prerequisites for exploitation. Attackers can target any standard WordPress installation without needing credentials, vulnerable plugins, or specific configurations.
In response to the risk level, Searchlight Cyber has restrained from sharing technical exploit details to allow site owners the opportunity to secure their systems. They have, however, provided a free scanner at wp2shell[.]com for checking site vulnerability.
WordPress Versions at Risk
The vulnerability affects specific WordPress Core versions, noted under CVE-2026-60137 and CVE-2026-63030. Versions 6.9.0 to 6.9.4, 7.0.0 to 7.0.1, and the 7.1 beta are vulnerable.
WordPress 6.8 is only affected by the SQL injection aspect (CVE-2026-60137), and a fix has been issued in version 6.8.6. WordPress.org has released version 7.0.2 with backported fixes in 6.9.5 and 6.8.6 to address both the RCE and SQL injection vulnerabilities.
Immediate Actions and Recommendations
Due to the critical nature of wp2shell, the WordPress.org team has implemented a force-push update via the auto-update system to ensure affected sites are patched promptly.
Site administrators can also manually update through the WordPress Dashboard or by downloading the update directly from WordPress.org. For those unable to update immediately, temporary measures include blocking anonymous REST API access or specific endpoints at the WAF level, though these may hinder site functionality.
With WordPress’s vast user base and the ease of exploit without plugins, immediate patching is prioritized over temporary workarounds to secure sites from potential attacks.
Strengthen your Security Operations Center (SOC) by leveraging tools like ANY.RUN for enhanced threat detection and rapid response.
