WordPress wp2shell Exploit: RCE Vulnerability Exposed, Patch Now!
Exploits for critical remote code execution vulnerabilities in WordPress Core have been disclosed, prompting immediate action from administrators to secure affected installations.
Introduction to the wp2shell Vulnerabilities
Exploits for critical remote code execution vulnerabilities in WordPress Core have been disclosed, prompting immediate action from administrators to secure affected installations. The vulnerabilities, collectively termed “wp2shell,” involve two distinct flaws that can be combined to enable unauthenticated remote code execution against WordPress versions 6.9.x and 7.0.x. Discovered by Adam Kues of Searchlight Cyber, the flaws allow attackers to exploit default WordPress setups without requiring prior authentication.
Discovery and Impact
Technical Details of the Vulnerabilities
The attack chain combines two independent issues. The first, CVE-2026-63030, stems from a REST API batch-route confusion vulnerability introduced in WordPress 6.9. This flaw can be paired with an SQL injection vulnerability to achieve remote code execution. The second vulnerability, CVE-2026-60137, is an SQL injection flaw in the ‘author__not_in’ parameter of ‘WP_Query,’ classified as high-severity and affecting versions 6.8 and later. The full RCE chain impacts WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The SQL injection flaw also affects 6.8.0 through 6.8.5 but cannot be exploited for RCE due to the absence of the REST API batch-route confusion bug in earlier versions.
Patches and Updates
Patches for both vulnerabilities are included in 6.9.5 and 7.0.2. The WordPress security team has activated forced automatic updates for supported installations running affected versions, urging users to upgrade to 7.0.2 or 6.9.5 immediately.
Temporary Mitigation Measures
Recommended temporary measures include blocking anonymous REST API access via plugins or WAF rules targeting /wp-json/batch/v1 and ?rest_route=/batch/v1. Cloudflare has deployed WAF protections for both vulnerabilities across all plans, though the company emphasizes that these are not a substitute for patching.
Proof-of-Concept Exploits and Real-World Impact
Public proof-of-concept exploits have emerged on GitHub, with some demonstrating the ability to extract password hashes via SQL injection, crack administrator credentials, and execute arbitrary commands. Other exploits claim to achieve RCE without requiring administrative access, aligning with Searchlight Cyber’s findings. Security firm watchTowr confirmed early signs of in-the-wild exploitation, noting the rarity of such unauthenticated RCE flaws in WordPress core.
Recommendations for Administrators
Organizations are advised to prioritize updates to 7.0.2 or 6.9.5 immediately. The presence of active exploits and initial exploitation attempts underscores the urgency of addressing the vulnerabilities. Administrators are encouraged to test all security layers proactively to prevent adversary infiltration.
