{"id":14399,"date":"2026-07-18T10:03:44","date_gmt":"2026-07-18T10:03:44","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/18\/new-wp2shell-rce-vulnerability-hits-millions-of-wordpress-sites-emergency-patch-released\/"},"modified":"2026-07-18T10:03:44","modified_gmt":"2026-07-18T10:03:44","slug":"new-wp2shell-rce-vulnerability-hits-millions-of-wordpress-sites-emergency-patch-released","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/18\/new-wp2shell-rce-vulnerability-hits-millions-of-wordpress-sites-emergency-patch-released\/","title":{"rendered":"New wp2shell RCE Vulnerability Hits Millions of WordPress Sites, Emergency Patch Released"},"content":{"rendered":"<p>    New wp2shell RCE Vulnerability Hits Millions of WordPress Sites, Emergency Patch Released<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A critical pre-authentication remote code execution (RCE) vulnerability dubbed \u201cwp2shell\u201d has been discovered in WordPress Core, putting an estimated 500 million+ websites at risk of full takeover by unauthenticated attackers.<\/p>\n<p class=\"sg-ai-highlighted-block wp-block-paragraph\">Security researcher Adam Kues of Searchlight Cyber\u2019s Assetnote research team uncovered the flaw, which stems from a REST API batch-route confusion issue that leads to SQL injection and, ultimately, remote code execution.<\/p>\n<p class=\"wp-block-paragraph\">What makes this bug especially dangerous is that it requires no preconditions and can be exploited by a completely anonymous, unauthenticated user against a stock WordPress installation with zero plugins installed.<\/p>\n<h2 id=\"h-wp2shell-rce-vulnerability\" class=\"wp-block-heading\"><strong>wp2shell RCE Vulnerability<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">In practical terms, an attacker doesn\u2019t need a login, a vulnerable plugin, or any special site configuration to compromise a target \u2014 just a reachable WordPress instance running an affected version.<\/p>\n<p class=\"wp-block-paragraph\">Given the severity of the bug, <a href=\"https:\/\/slcyber.io\/research-center\/wp2shell-pre-authentication-rce-in-wordpress-core\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Searchlight Cyber withheld technical exploit details<\/a> to give site owners time to patch, while releasing a free public scanner at <a href=\"https:\/\/wp2shell.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">wp2shell[.]com<\/a> so administrators can check whether their site is vulnerable.<\/p>\n<h2 id=\"h-which-wordpress-versions-are-affected\" class=\"wp-block-heading\"><strong>Which WordPress Versions Are Affected<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The vulnerability impacts a specific band of WordPress Core releases, tracked under two CVE identifiers: CVE-2026-60137 (also covering a separate <a href=\"https:\/\/cybersecuritynews.com\/postgresql-code-execution-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">SQL injection<\/a> issue) and CVE-2026-63030, the batch-route RCE flaw reported by Kues.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>WordPress version range<\/th>\n<th>Status<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>6.8.5 and earlier<\/td>\n<td>Not affected<\/td>\n<\/tr>\n<tr>\n<td>6.9.0 \u2013 6.9.4<\/td>\n<td>Affected<\/td>\n<\/tr>\n<tr>\n<td>7.0.0 \u2013 7.0.1<\/td>\n<td>Affected<\/td>\n<\/tr>\n<tr>\n<td>7.1 beta (pre-release)<\/td>\n<td>Affected<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\">Notably, the WordPress 6.8 branch is only affected by the SQL injection component (CVE-2026-60137), not the RCE chain, and a fix has been backported to version 6.8.6.<\/p>\n<p class=\"wp-block-paragraph\">WordPress.org <a href=\"https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">has shipped version 7.0.2<\/a>, along with backported fixes in 6.9.5 and 6.8.6, addressing both the critical RCE issue and a high-severity SQL injection flaw. Because of the severity, the WordPress.org team has taken the unusual step of force-pushing this update via the auto-update system to all sites running affected versions, rather than waiting for administrators to act manually.<\/p>\n<p class=\"wp-block-paragraph\">Site owners can also update manually through the WordPress Dashboard by navigating to Updates and clicking \u201cUpdate Now,\u201d or by downloading the release directly from WordPress.org.<\/p>\n<p class=\"wp-block-paragraph\">The security team credited three researchers TF1T, dtro, and haongo for jointly reporting the SQL injection issue, alongside Adam Kues for identifying the REST API batch-route RCE chain.<\/p>\n<p class=\"wp-block-paragraph\">For administrators who cannot immediately update, Searchlight Cyber recommends emergency stopgap measures, though these may disrupt legitimate site functionality:<\/p>\n<ul class=\"wp-block-list\">\n<li>Install a plugin that blocks anonymous access to the REST API entirely<\/li>\n<li>Block the <code>\/wp-json\/batch\/v1<\/code> and <code>?rest_route=\/batch\/v1<\/code> endpoints at the WAF level<\/li>\n<li>Treat both options as temporary only, until the official patch is applied<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Given the scale of WordPress\u2019s install base and the zero-click, no-plugin-required nature of this exploit, security teams are urging immediate patching over reliance on workarounds.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt;\u00a0<a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate ANY.RUN With Your SOC\u00a0<\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/wp2shell-rce-vulnerability\/\">New wp2shell RCE Vulnerability Hits Millions of WordPress Sites, Emergency Patch Released<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/wp2shell-rce-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New wp2shell RCE Vulnerability Hits Millions of WordPress Sites, Emergency Patch Released A critical pre-authentication remote code execution (RCE) vulnerability dubbed \u201cwp2shell\u201d has been discovered in WordPress Core, putting an estimated 500 million+ websites at risk of full takeover by unauthenticated attackers. Security researcher Adam Kues of Searchlight Cyber\u2019s Assetnote research team uncovered the flaw, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-14399","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14399"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14399"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14399\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}