WordPress Core "wp2shell" RCE flaws get public exploits, patch now

5 hours ago 9

WordPress

Public exploits have been released for the critical "wp2shell" remote code execution vulnerabilities affecting WordPress Core, making it imperative that administrators patch their sites immediately.

The wp2shell attack consists of two flaws, tracked as CVE-2026-63030 and CVE-2026-60137, that can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x.

The flaws were discovered by Adam Kues of Searchlight Cyber, which says an unauthenticated attacker can exploit them against a default WordPress installation.

image

"Searchlight Cyber's security research team has discovered a pre-authentication RCE in WordPress Core," explained Searchlight Cyber.

"The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins."

Searchlight Cyber estimates that more than 500 million websites use WordPress, giving the vulnerability a potentially massive impact, especially now that public proof-of-concept exploits have been released.

Due to the severity of the vulnerabilities, the WordPress security team has enabled forced automatic security updates for supported installations running affected versions, urging site owners to update to WordPress 7.0.2 or 6.9.5 immediately.

"Because this is a security release, it is recommended that you update your sites immediately," WordPress said in its security announcement.

"Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions."

The issue is not a single vulnerability but rather two independent flaws that can be combined into an unauthenticated remote code execution chain.

The first flaw, CVE-2026-63030, is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. According to the GitHub advisory, the flaw can be combined with the SQL injection issue to achieve remote code execution.

The second vulnerability, CVE-2026-60137, is an SQL injection flaw in the 'author__not_in' parameter of 'WP_Query'. WordPress describes it as a high-severity SQL injection vulnerability affecting WordPress 6.8 and later.

According to the WordPress advisories, the complete RCE chain affects WordPress 6.9.0 through 6.9.4 and WordPress 7.0.0 through 7.0.1.

The SQL injection vulnerability also affects WordPress 6.8.0 through 6.8.5, but cannot be chained to remote code execution because the REST API batch-route confusion bug was added in WordPress 6.9.

The full wp2shell attack chain has been fixed in WordPress 6.9.5 and 7.0.2.

Searchlight Cyber is currently withholding technical details to give administrators time to patch, instead creating the wp2shell.com website, which allows admins to test whether their WordPress installations are vulnerable.

For organizations unable to immediately update, Searchlight Cyber recommends:

  • Installing a plugin that blocks anonymous access to the REST API entirely; or
  • Blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level.

The company warns these mitigations should only be used as a temporary measure until systems can be updated.

Cloudflare also announced that it has deployed Web Application Firewall (WAF) protections for both vulnerabilities across all plans, including free accounts, that are proxied behind its platform.

According to Cloudflare, the rules block attempts to exploit both the SQL injection flaw (CVE-2026-60137) and the REST API batch-route confusion vulnerability (CVE-2026-63030).

"WAF protections reduce exposure while customers update, but they are not a substitute for patching," Cloudflare said.

Public PoC exploits released

While Searchlight Cyber delayed releasing technical details to give administrators time to patch, multiple public proof-of-concept exploits have since been published on GitHub.

Some publicly available exploits combine the two vulnerabilities to extract WordPress password hashes via SQL injection, then crack an administrator password to log in, upload a malicious plugin, and execute commands.

However, other proof-of-concept exploits claim to achieve pre-authentication remote code execution without requiring administrator credentials, which is more in line with Searchlight Cyber's description of the flaws.

BleepingComputer has contacted Searchlight Cyber to confirm that its attack chain does not require an administrator password.

Security firm watchTowr says it has already seen in-the-wild exploitation after the public exploits were released.

"WordPress gets a bad rap for security. But the reality is that a highly impactful, unauthenticated SQL injection or remote code execution vulnerability in WordPress core is actually fairly rare," watchTowr CEO Benjamin Harris told BleepingComputer via email.

"That is exactly what makes this one different, and why everyone is scrambling to patch before widespread exploitation takes hold. The watchTowr team is already seeing PoC exploits in circulation, and we are beginning to see the first signs of in-the-wild exploitation."

Given the availability of public proof-of-concept exploits and the first reported signs of in-the-wild exploitation, administrators should ensure their sites are updated to WordPress 7.0.2 or 6.9.5 as soon as possible.

article image

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Read Entire Article