New wp2shell WordPress core flaw lets unauthenticated attackers run code on default installs. Here’s what happened, which versions are affected, and how to protect your site.
New wp2shell WordPress core flaw lets unauthenticated attackers run code
New wp2shell WordPress core flaw lets unauthenticated attackers run code on default installations, and that’s not an exaggeration or a scare headline — it’s how security researchers describe the bug in WordPress itself. The vulnerability is a pre‑authentication remote code execution (RCE) issue in WordPress core that can be triggered by an anonymous HTTP request hitting the REST API batch endpoint.
For once, this isn’t a plugin problem. It’s the core engine that drives hundreds of millions of sites worldwide, which is why the discovery has put security teams and hosting providers on high alert.
What exactly is wp2shell?
Security researchers at Searchlight Cyber found the flaw and nicknamed it wp2shell, capturing the essence of the risk: an attacker can turn your WordPress site into a shell they control. The issue actually comes from a chain of two vulnerabilities in WordPress core.
-
CVE‑2026‑63030 – a route confusion bug in the REST API batch endpoint at
/wp-json/batch/v1that lets an attacker craft requests in unexpected ways. -
CVE‑2026‑60137 – a SQL injection issue in the
author__not_inparameter ofWP_Query, present in WordPress 6.8 and newer.
When chained together, these bugs let an unauthenticated attacker hit the batch endpoint, abuse the route confusion, trigger the SQL injection, and finally achieve arbitrary code execution on a stock WordPress install.
In practice, that means someone who’s never logged into your site and doesn’t rely on any plugin bug can send a crafted request and run their own code on your server.
Which WordPress versions are affected?
The new wp2shell WordPress core flaw lets unauthenticated attackers run code on specific ranges of recent WordPress versions.
-
Affected ranges:
-
WordPress 6.9.0 – 6.9.4
-
WordPress 7.0.0 – 7.0.1
-
-
Patched versions:
-
WordPress 6.9.5
-
WordPress 7.0.2
-
Fix also included in 7.1 Beta 2.
-
The underlying SQL injection (CVE‑2026‑60137) is present in WordPress 6.8 and above, but the full wp2shell RCE chain is confirmed for 6.9 and 7.0 in the ranges above.
What makes this especially worrying is that the attack has no preconditions beyond running one of those versions: no plugins, no custom themes, and no special configuration are required.
How serious is this vulnerability?
Most WordPress security stories revolve around a vulnerable plugin installed on too many sites; wp2shell breaks that pattern. The new wp2shell WordPress core flaw lets unauthenticated attackers run code in the heart of the platform, and that’s why security vendors are treating it as critical.
A few reasons it stands out:
-
It’s pre‑auth RCE in core: the attacker does not need credentials or a role on your site.
-
It targets default installs, which means the usual “just remove the bad plugin” fix doesn’t apply.
-
It potentially touches hundreds of millions of sites, given WordPress’s footprint across blogs, business sites, and e‑commerce.
-
A proof of concept (PoC) exploit has already been published, raising the odds that automated attacks will follow.
Rapid7 notes that even though the current CVSS score sits around 7.5, the practical risk is closer to “critical” because of the reach and ease of exploitation. Several security firms are already monitoring customer environments specifically for suspicious traffic targeting the batch endpoint.
How WordPress responded — and why you still need to check
Once the issue was reported, the WordPress security team released 6.9.5 and 7.0.2 on July 17, 2026 to close the wp2shell chain and backported mitigations to older branches. They also triggered forced automatic updates for many affected sites in an effort to push the patches quickly.
That’s good news, but it doesn’t entirely solve the problem.
Security advisories are explicit about one thing: don’t assume your site updated itself. Auto‑updates can be disabled, blocked by custom deployment, or delayed by constraints on some hosting platforms.
So even though the new wp2shell WordPress core flaw lets unauthenticated attackers run code only on unpatched versions, it’s on you to confirm that your site is running 6.9.5, 7.0.2, or a newer fixed release.
What site owners should do right now
If you run WordPress — whether it’s a personal blog, agency portfolio, or a large multi‑site platform — this is one of those moments where you pause and check.
-
Verify your WordPress version.
-
Log into
wp-adminand check the version in the Dashboard → Updates screen or footer. -
If you see 6.9.0–6.9.4 or 7.0.0–7.0.1, you’re in the vulnerable range.
-
-
Update immediately.
-
Move to 6.9.5 or 7.0.2, or a newer patched release if available.
-
If you use staging, do a quick sanity test, then push the update to production within 24 hours.
-
-
Use the wp2shell checker if needed.
-
Searchlight Cyber provides a free checker at wp2shell.com to help you confirm whether your site sits in the affected range.
-
-
Monitor logs and traffic.
-
Watch for unusual requests targeting
/wp-json/batch/v1or strange REST API behavior. -
Keep an eye out for new admin accounts, odd files in
wp-content, and unfamiliar scheduled tasks — all common signs of compromise on WordPress.
-
-
Harden your environment.
-
Restrict administrative access by IP or VPN where possible.
-
Make sure backups are recent and tested so you can restore if needed.
-
Review who actually needs admin privileges; reduce where you can.
-
None of this is glamorous work, but when the new wp2shell WordPress core flaw lets unauthenticated attackers run code, the boring steps are what keep your site intact.
Why this should change how you think about WordPress security
If you’ve ever shrugged off core updates because “we don’t use risky plugins,” wp2shell is a reality check. The new wp2shell WordPress core flaw lets unauthenticated attackers run code even on a clean, bare install, and that erases the usual comfort zone many teams rely on.
It also underscores a bigger point:
-
Patch discipline isn’t optional anymore. Frontier web software is complex, and the attack surface now includes core logic, APIs, and performance features — not just the plugins you install.
-
REST APIs need as much scrutiny as front‑end code. The vulnerable batch endpoint existed to make multi‑request workflows easier, but it also opened a door for exploitation when route validation fell short.
-
Threat actors move fast when PoCs appear. Once working exploit code is public, automated scans start hitting any site that looks vulnerable. Being a few days late on a patch can be enough to matter.
You don’t have to panic, but you also shouldn’t be casual. If WordPress powers something you care about — a client’s store, your own publication, or a community hub — treating wp2shell as a genuine emergency patch is the responsible move.
Wrapping it up
If we strip away the acronyms and CVE IDs, the story is pretty simple: the new wp2shell WordPress core flaw lets unauthenticated attackers run code on default WordPress installs, and the fix is already available — but only if you actually apply it.
Security teams have done their part by finding the bug, reporting it, and pushing a patch. Now the question is whether site owners will close the gap before opportunistic attackers decide to turn this into another mass exploitation campaign.
If you’re reading this and thinking, “I’ll check later,” don’t. Log in, check the version, and update. It’s one of those small tasks that quietly decides whether your weekend stays quiet or turns into a recovery scramble.