A critical pre-authentication remote code execution (RCE) vulnerability dubbed "wp2shell" has been discovered in WordPress Core, potentially exposing more than 500 million websites to complete compromise by unauthenticated attackers.
The vulnerability was discovered by Adam Kues of Searchlight Cyber’s Assetnote research team and stems from a REST API batch-route confusion flaw that can be leveraged to achieve SQL injection and ultimately remote code execution.
What makes this vulnerability particularly dangerous is that it requires no authentication, no plugins, and no special configuration. A default WordPress installation running an affected version can be compromised by any remote attacker with network access to the site.
How the Vulnerability Works
According to researchers, the flaw originates from confusion in WordPress's REST API batch processing functionality.
The vulnerability chain allows attackers to:
- Exploit a REST API batch-route confusion issue
- Trigger SQL injection
- Escalate the attack into remote code execution
- Gain full control of the WordPress server
Because exploitation requires no credentials or user interaction, the vulnerability represents one of the most severe WordPress Core security issues disclosed in recent years.
To reduce the risk of widespread exploitation, Searchlight Cyber has withheld technical proof-of-concept details and instead released a public vulnerability scanner at wp2shell[.]com.
Affected Versions
The vulnerabilities are tracked as:
- CVE-2026-60137 — SQL Injection
- CVE-2026-63030 — REST API Batch Route Remote Code Execution
| WordPress Version | Status |
|---|---|
| 6.8.5 and earlier | Not affected |
| 6.9.0 – 6.9.4 | Affected |
| 7.0.0 – 7.0.1 | Affected |
| 7.1 Beta | Affected |
Important Note
The 6.8.x branch is only affected by the SQL injection vulnerability (CVE-2026-60137) and is not vulnerable to the RCE chain.
Security Updates Released
The WordPress security team has released patched versions:
| Fixed Release | Purpose |
|---|---|
| WordPress 7.0.2 | Fixes RCE and SQLi |
| WordPress 6.9.5 | Backported security fixes |
| WordPress 6.8.6 | Fixes SQL injection vulnerability |
Due to the severity of the issue, WordPress.org has taken the unusual step of force-deploying automatic updates to affected installations rather than waiting for administrators to update manually.
Recommended Actions
Administrators should immediately upgrade to:
- WordPress 7.0.2
- WordPress 6.9.5
- WordPress 6.8.6
Updates can be installed through:
Dashboard → Updates → Update Now
or by downloading the latest release directly from WordPress.org.
Temporary Mitigations
For organizations unable to patch immediately, Searchlight Cyber recommends temporary protections:
Block Anonymous REST API Access
Install a security plugin that prevents unauthenticated access to the WordPress REST API.
Block Vulnerable Endpoints
Restrict access to:
/wp-json/batch/v1
?rest_route=/batch/v1
using a WAF, reverse proxy, or web server rules.
These mitigations should only be considered temporary safeguards until official updates are applied.
Why This Matters
WordPress powers a significant portion of the internet, making core vulnerabilities particularly attractive to threat actors.
Because wp2shell:
- Requires no authentication
- Works against default installations
- Does not require vulnerable plugins
- Enables full remote code execution
security teams should treat this as an emergency patching priority.
Researchers TF1T, dtro, and haongo were credited for reporting the SQL injection vulnerability, while Adam Kues identified the REST API batch-route RCE chain.