3 min read

Patch WordPress now as wp2shell exploits spread

Public exploits for two chained WordPress core flaws are out, with early signs of active attacks. Update to 7.0.2 or 6.9.5 immediately.

Image: BleepingComputer

Public exploits are now available for the critical “wp2shell” vulnerabilities in WordPress Core, raising the urgency for administrators to patch affected sites. The attack chains CVE-2026-63030 and CVE-2026-60137 to achieve pre-authentication remote code execution on default WordPress 6.9.x and 7.0.x installations.

The flaws were discovered by Adam Kues of Searchlight Cyber, which said an anonymous attacker can exploit a stock WordPress install with no plugins.

“Searchlight Cyber’s security research team has discovered a pre-authentication RCE in WordPress Core.” “The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.”

Searchlight Cyber

With more than 500 million websites using WordPress, the potential impact is large. In response, the WordPress security team has enabled forced automatic security updates for supported installations on affected versions and is urging site owners to move to WordPress 7.0.2 or 6.9.5 immediately.

Affected versions and temporary mitigations

The bug chain is made up of two separate issues:

  • CVE-2026-63030: a REST API batch-route confusion vulnerability introduced in WordPress 6.9
  • CVE-2026-60137: an SQL injection flaw in the author__not_in parameter of WP_Query

According to WordPress advisories, the full RCE chain affects WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The SQL injection bug also affects WordPress 6.8.0 through 6.8.5, but it cannot be chained to RCE there because the REST API flaw was only added in 6.9.

Recommended reading

7-Zip 26.02 patches archive-based RCE bug

Searchlight Cyber is withholding technical details for now and instead launched wp2shell.com, which lets administrators test whether their installations are vulnerable. For organizations that cannot patch immediately, the company recommends either blocking anonymous access to the REST API with a plugin or blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at the WAF layer. It said those steps should be treated only as temporary mitigation.

Cloudflare said it has deployed WAF protections for both flaws across all plans, including free accounts, for sites proxied through its platform. The company said the rules block exploitation attempts for both CVE-2026-60137 and CVE-2026-63030, but stressed that WAF coverage is not a replacement for patching.

Public PoCs are already circulating

Although Searchlight Cyber delayed publishing technical details, multiple public proof-of-concept exploits have since appeared on GitHub. Some chain the bugs to pull WordPress password hashes via SQL injection, crack an administrator password, then upload a malicious plugin to run commands. Others claim to achieve pre-authentication RCE without admin credentials, matching Searchlight Cyber’s description more closely.

watchTowr told BleepingComputer it is already seeing early real-world exploitation after the PoCs were published.

“WordPress gets a bad rap for security. But the reality is that a highly impactful, unauthenticated SQL injection or remote code execution vulnerability in WordPress core is actually fairly rare.” “That is exactly what makes this one different, and why everyone is scrambling to patch before widespread exploitation takes hold. The watchTowr team is already seeing PoC exploits in circulation, and we are beginning to see the first signs of in-the-wild exploitation.”

Benjamin Harris, CEO, watchTowr

Given the public exploits and the first reported signs of active abuse, administrators should update affected sites to WordPress 7.0.2 or 6.9.5 as soon as possible.

article image
article image
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading