A critical pre-authentication remote code execution (RCE) vulnerability dubbed "wp2shell" has been discovered in WordPress Core, potentially exposing more than 500 million websites to complete compromise by unauthenticated attackers.

The vulnerability was discovered by Adam Kues of Searchlight Cyber’s Assetnote research team and stems from a REST API batch-route confusion flaw that can be leveraged to achieve SQL injection and ultimately remote code execution.

What makes this vulnerability particularly dangerous is that it requires no authentication, no plugins, and no special configuration. A default WordPress installation running an affected version can be compromised by any remote attacker with network access to the site.

How the Vulnerability Works

According to researchers, the flaw originates from confusion in WordPress's REST API batch processing functionality.

The vulnerability chain allows attackers to:

  1. Exploit a REST API batch-route confusion issue
  2. Trigger SQL injection
  3. Escalate the attack into remote code execution
  4. Gain full control of the WordPress server

Because exploitation requires no credentials or user interaction, the vulnerability represents one of the most severe WordPress Core security issues disclosed in recent years.

To reduce the risk of widespread exploitation, Searchlight Cyber has withheld technical proof-of-concept details and instead released a public vulnerability scanner at wp2shell[.]com.

Affected Versions

The vulnerabilities are tracked as:

  • CVE-2026-60137 — SQL Injection
  • CVE-2026-63030 — REST API Batch Route Remote Code Execution
WordPress Version Status
6.8.5 and earlier Not affected
6.9.0 – 6.9.4 Affected
7.0.0 – 7.0.1 Affected
7.1 Beta Affected

Important Note

The 6.8.x branch is only affected by the SQL injection vulnerability (CVE-2026-60137) and is not vulnerable to the RCE chain.

Security Updates Released

The WordPress security team has released patched versions:

Fixed Release Purpose
WordPress 7.0.2 Fixes RCE and SQLi
WordPress 6.9.5 Backported security fixes
WordPress 6.8.6 Fixes SQL injection vulnerability

Due to the severity of the issue, WordPress.org has taken the unusual step of force-deploying automatic updates to affected installations rather than waiting for administrators to update manually.

Recommended Actions

Administrators should immediately upgrade to:

  • WordPress 7.0.2
  • WordPress 6.9.5
  • WordPress 6.8.6

Updates can be installed through:

Dashboard → Updates → Update Now

or by downloading the latest release directly from WordPress.org.

Temporary Mitigations

For organizations unable to patch immediately, Searchlight Cyber recommends temporary protections:

Block Anonymous REST API Access

Install a security plugin that prevents unauthenticated access to the WordPress REST API.

Block Vulnerable Endpoints

Restrict access to:

/wp-json/batch/v1
?rest_route=/batch/v1

using a WAF, reverse proxy, or web server rules.

These mitigations should only be considered temporary safeguards until official updates are applied.

Why This Matters

WordPress powers a significant portion of the internet, making core vulnerabilities particularly attractive to threat actors.

Because wp2shell:

  • Requires no authentication
  • Works against default installations
  • Does not require vulnerable plugins
  • Enables full remote code execution

security teams should treat this as an emergency patching priority.

Researchers TF1T, dtro, and haongo were credited for reporting the SQL injection vulnerability, while Adam Kues identified the REST API batch-route RCE chain.