WordPress wp2shell Exploit: RCE Vulnerability Exposed, Patch Now!

www.news4hackers.com-wordpress-wp2shell-exploit-rce-vulnerability-exposed-patch-now--wordpress-wp2shell-exploit-rce-vulnerability-exposed-patch-now-

Exploits for critical remote code execution vulnerabilities in WordPress Core have been disclosed, prompting immediate action from administrators to secure affected installations.

Introduction to the wp2shell Vulnerabilities

Exploits for critical remote code execution vulnerabilities in WordPress Core have been disclosed, prompting immediate action from administrators to secure affected installations. The vulnerabilities, collectively termed “wp2shell,” involve two distinct flaws that can be combined to enable unauthenticated remote code execution against WordPress versions 6.9.x and 7.0.x. Discovered by Adam Kues of Searchlight Cyber, the flaws allow attackers to exploit default WordPress setups without requiring prior authentication.

Discovery and Impact

Searchlight Cyber highlighted that the vulnerabilities require no specific prerequisites and can be leveraged by anonymous users on standard WordPress installations.
The firm noted that over 500 million websites rely on WordPress, amplifying the potential impact of the flaws, particularly following the release of proof-of-concept exploits.

Technical Details of the Vulnerabilities

The attack chain combines two independent issues. The first, CVE-2026-63030, stems from a REST API batch-route confusion vulnerability introduced in WordPress 6.9. This flaw can be paired with an SQL injection vulnerability to achieve remote code execution. The second vulnerability, CVE-2026-60137, is an SQL injection flaw in the ‘author__not_in’ parameter of ‘WP_Query,’ classified as high-severity and affecting versions 6.8 and later. The full RCE chain impacts WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The SQL injection flaw also affects 6.8.0 through 6.8.5 but cannot be exploited for RCE due to the absence of the REST API batch-route confusion bug in earlier versions.

Patches and Updates

Patches for both vulnerabilities are included in 6.9.5 and 7.0.2. The WordPress security team has activated forced automatic updates for supported installations running affected versions, urging users to upgrade to 7.0.2 or 6.9.5 immediately.

The WordPress security team has activated forced automatic updates for supported installations running affected versions, urging users to upgrade to 7.0.2 or 6.9.5 immediately.

Temporary Mitigation Measures

Recommended temporary measures include blocking anonymous REST API access via plugins or WAF rules targeting /wp-json/batch/v1 and ?rest_route=/batch/v1. Cloudflare has deployed WAF protections for both vulnerabilities across all plans, though the company emphasizes that these are not a substitute for patching.

Cloudflare has deployed WAF protections for both vulnerabilities across all plans, though the company emphasizes that these are not a substitute for patching.

Proof-of-Concept Exploits and Real-World Impact

Public proof-of-concept exploits have emerged on GitHub, with some demonstrating the ability to extract password hashes via SQL injection, crack administrator credentials, and execute arbitrary commands. Other exploits claim to achieve RCE without requiring administrative access, aligning with Searchlight Cyber’s findings. Security firm watchTowr confirmed early signs of in-the-wild exploitation, noting the rarity of such unauthenticated RCE flaws in WordPress core.

Security firm watchTowr confirmed early signs of in-the-wild exploitation, noting the rarity of such unauthenticated RCE flaws in WordPress core.

Recommendations for Administrators

Organizations are advised to prioritize updates to 7.0.2 or 6.9.5 immediately. The presence of active exploits and initial exploitation attempts underscores the urgency of addressing the vulnerabilities. Administrators are encouraged to test all security layers proactively to prevent adversary infiltration.



About Author

en_USEnglish