
WordPress has shipped an emergency security release after researchers disclosed wp2shell, a critical flaw in WordPress Core that can be chained into remote code execution.
The issue is tracked as CVE-2026-63030 and, according to the published advisories, it works with CVE-2026-60137, a separate SQL injection issue, to let an attacker run code without logging in.
WordPress.org said the WordPress 7.0.2 release addresses one critical and one high-severity security issue and urged site owners to update immediately.
The disclosure landed on July 17, 2026, and security researchers quickly described it as a serious problem because it affects the WordPress core itself rather than a third-party plugin.
Searchlight Cyber, which published the research as wp2shell: Pre Authentication RCE in WordPress Core, said the attack has no preconditions and can be triggered by an anonymous user on a stock WordPress install with no plugins and no special configuration. The firm also noted that WordPress powers an estimated 500 million websites.
The affected versions are clearly defined in the release notes and follow-up research. WordPress said 6.9.0 through 6.9.4 are fixed in 6.9.5, while 7.0.0 through 7.0.1 are fixed in 7.0.2. For the separate SQL injection issue, WordPress also released 6.8.6. The security release for 7.0.2 was treated as urgent enough that WordPress.org enabled forced updates through the auto-update system for affected sites.
How the flaw works
The research describes wp2shell as a chain involving the WordPress REST API batch endpoint and a SQL injection issue. In the wording used by multiple advisories, the route confusion in the batch endpoint helps bypass the protections that would otherwise keep the SQL injection from being reached by an unauthenticated user. That combination is what turns the issue into a pre-authentication remote code execution path.
That distinction matters because it changes the risk profile of the bug. A single vulnerable component may be serious, but a chain that starts with an anonymous request and ends with code execution creates a much wider attack surface.
The public advisory from WordPress does not frame this as a plugin problem or a configuration mistake. It is a core issue, which means standard, unmodified sites are in scope.
What WordPress site owners should do now
The main instruction from WordPress is straightforward: update immediately. Sites on the 7.0 branch should move to 7.0.2, and sites on the 6.9 branch should move to 6.9.5. WordPress said the release is a security update, and its team turned on forced updates for affected versions. A useful place to confirm the exact release details is the official 7.0.2 announcement.
Searchlight Cyber also listed temporary mitigation steps for administrators who cannot patch right away. Those steps include restricting access to the REST API batch route, especially the /wp-json/batch/v1 endpoint and the ?rest_route=/batch/v1 form. In the source material, these are described as short-term defenses, not substitutes for upgrading.
For readers who want the technical record, the best reference points are the official WordPress release, the Searchlight Cyber write-up, and the CVE record for CVE-2026-63030. Those three sources line up on the same basic picture: a WordPress core security chain, unauthenticated attack potential, and urgent patching guidance.
Discover more from Aree Blog
Subscribe now to keep reading and get access to the full archive.


