{"id":6361,"date":"2026-07-17T22:52:19","date_gmt":"2026-07-17T22:52:19","guid":{"rendered":"https:\/\/lockitsoft.com\/?p=6361"},"modified":"2026-07-17T22:52:19","modified_gmt":"2026-07-17T22:52:19","slug":"critical-wordpress-core-vulnerability-pre-authentication-remote-code-execution-exposes-millions-of-websites","status":"publish","type":"post","link":"https:\/\/lockitsoft.com\/?p=6361","title":{"rendered":"Critical WordPress Core Vulnerability: Pre-Authentication Remote Code Execution Exposes Millions of Websites"},"content":{"rendered":"<p>On July 17, 2026, WordPress, the world&#8217;s most popular content management system, addressed a critical pre-authentication Remote Code Execution (RCE) vulnerability within its core software. This flaw, discovered by Adam Kues of Assetnote, the attack surface management division of Searchlight Cyber, allowed anonymous users to execute arbitrary code on vulnerable WordPress installations with no preconditions. The vulnerability, designated as &quot;wp2shell&quot; by its discoverer, impacted WordPress versions 6.9 and 7.0, and its severity was underscored by WordPress&#8217;s decision to implement forced updates to mitigate the immediate risk to its vast user base.<\/p>\n<p>The discovery and subsequent disclosure of this significant security flaw highlight the persistent challenges in securing open-source software and the intricate dance between vulnerability discovery, patching, and widespread deployment. With an estimated 500 million websites powered by WordPress, the potential attack surface was immense, raising immediate concerns within the cybersecurity community.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/lockitsoft.com\/?p=6361\/#The_Anatomy_of_the_wp2shell_Vulnerability\" >The Anatomy of the wp2shell Vulnerability<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/lockitsoft.com\/?p=6361\/#Timeline_of_Discovery_and_Mitigation\" >Timeline of Discovery and Mitigation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/lockitsoft.com\/?p=6361\/#Affected_Versions_and_Deployment_Challenges\" >Affected Versions and Deployment Challenges<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/lockitsoft.com\/?p=6361\/#Broader_Implications_for_Open_Source_Security\" >Broader Implications for Open Source Security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/lockitsoft.com\/?p=6361\/#Analysis_of_the_Impact\" >Analysis of the Impact<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/lockitsoft.com\/?p=6361\/#Mitigation_Strategies_for_Administrators\" >Mitigation Strategies for Administrators<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/lockitsoft.com\/?p=6361\/#The_Ongoing_Battle_for_Web_Security\" >The Ongoing Battle for Web Security<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"The_Anatomy_of_the_wp2shell_Vulnerability\"><\/span>The Anatomy of the wp2shell Vulnerability<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The wp2shell vulnerability, as detailed in a write-up by Searchlight Cyber, resides within the core WordPress software itself, meaning even a freshly installed, unadulterated WordPress site with no plugins or themes beyond the default ones was susceptible. This &quot;zero-day&quot; nature of the exploit, coupled with its pre-authentication status, made it particularly dangerous. Pre-authentication vulnerabilities are highly sought after by malicious actors because they do not require any prior access or credentials to exploit, allowing for widespread, unauthenticated attacks.<\/p>\n<p>According to WordPress&#8217;s official release notes, the vulnerability is described as a &quot;REST API batch-route confusion and SQL injection issue leading to Remote Code Execution.&quot; This technical description suggests a sophisticated flaw where an attacker could manipulate the WordPress REST API&#8217;s batch processing capabilities, potentially leading to SQL injection. This injection, in turn, could be leveraged to achieve remote code execution, giving an attacker full control over the compromised server.<\/p>\n<p>The affected code resided in several core WordPress files, including <code>\/wp-includes\/rest-api\/class-wp-rest-server.php<\/code>, <code>\/wp-includes\/class-wp-query.php<\/code>, and <code>\/wp-includes\/rest-api.php<\/code>. Notably, the batch endpoint itself is not a new feature, having been introduced in WordPress 5.6 in November 2020 and publicly documented since. The exact nature of the change in WordPress 6.9 that opened this vulnerability remains under scrutiny, but the fact that it was present in a core component that has existed for years underscores the potential for even well-established features to harbor unforeseen security risks.<\/p>\n<figure class=\"article-inline-figure\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiRULLT1q8L6AtUB7jgKywi_KSF8VGKkOF9yC3Snt81K1aD2XSEV1jgfIe331rXUWGqhmAyFgr1USssr4_CQmuE7HLAn0ShaQ0pHY_yvNYMjQdHtpV8i-vlk2ickhJSJDSN3amGox_DMR5hemMlrgXIk8kHoHlYKZncjpiV3ibF77ax1Yn0fEjxtgxy7tY\/s1700-e365\/wordpress-core.jpg\" alt=\"New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code\" class=\"article-inline-img\" loading=\"lazy\" \/><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"Timeline_of_Discovery_and_Mitigation\"><\/span>Timeline of Discovery and Mitigation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The timeline of events leading to the patching of this critical vulnerability is crucial for understanding the response and its effectiveness:<\/p>\n<ul>\n<li><strong>Prior to July 17, 2026:<\/strong> Adam Kues, working under the umbrella of Searchlight Cyber, identified the wp2shell vulnerability. He responsibly reported the flaw through WordPress&#8217;s HackerOne bug bounty program. The research firm, in a strategic move, opted to release a &quot;checker&quot; tool at wp2shell.com rather than immediate technical details, aiming to provide website owners with a means to test their installations while the patch was being prepared and deployed.<\/li>\n<li><strong>July 17, 2026:<\/strong> WordPress released urgent security updates: version 6.9.5 for the 6.9 branch and version 7.0.2 for the 7.0 branch. These releases were specifically designed to address the pre-authentication RCE flaw. In a significant move to protect its user base, WordPress also initiated a &quot;forced update&quot; mechanism through its auto-update system. This meant that even sites that had previously disabled automatic updates would likely receive the security patches without manual intervention. WordPress also stated that version 7.1 beta 2 carried the same fix.<\/li>\n<li><strong>July 17, 2026 (simultaneously):<\/strong> A separate security issue, a second SQL injection bug within the same release cycle, was also patched. This bug was reported by a different security research team, indicating a period of heightened vulnerability discovery within the WordPress ecosystem. While WordPress 6.8 users also received an update (6.8.6), this was specifically for the SQL injection issue, not the critical RCE.<\/li>\n<li><strong>July 18, 2026:<\/strong> As of this date, no public reports of exploitation attempts had been made. The absence of a CVE (Common Vulnerabilities and Exposures) identifier and a publicly available exploit signature likely contributed to this initial period of quiet. Cybersecurity agencies like CISA (Cybersecurity and Infrastructure Security Agency) typically require a CVE to add vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog, a crucial step for widespread threat intelligence.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Affected_Versions_and_Deployment_Challenges\"><\/span>Affected Versions and Deployment Challenges<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The vulnerability impacted WordPress versions 6.9 and 7.0. Given that WordPress 6.9 was released on December 2, 2025, this meant that websites running less than eight months old installations of WordPress were potentially at risk. The exact number of affected sites remains unknown, as WordPress has not disclosed specific figures for the vulnerable population within these versions.<\/p>\n<p>The decision by WordPress to implement &quot;forced updates&quot; is a testament to the severity of the wp2shell flaw. This aggressive approach aims to ensure that the vast majority of WordPress sites are patched as quickly as possible, minimizing the window of opportunity for attackers. However, the effectiveness of this forced push on sites that have deliberately disabled auto-updates is still being assessed. Website administrators are strongly advised to verify their current WordPress version and ensure the update has been successfully applied, rather than assuming it has been.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Broader_Implications_for_Open_Source_Security\"><\/span>Broader Implications for Open Source Security<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The wp2shell incident underscores a fundamental challenge inherent in open-source software development: the inherent transparency of the codebase. While open-source fosters collaboration and innovation, it also means that once a fix is released, the underlying vulnerability becomes public knowledge. This creates a race against time for website owners to apply the patch before malicious actors can reverse-engineer the fix and develop exploits.<\/p>\n<p>WordPress&#8217;s strategy of rapid patching and forced updates is a proactive measure to stay ahead in this race. However, it also highlights the critical importance of timely and efficient patch management for website administrators. In the past, similar incidents have demonstrated the speed at which vulnerabilities can be weaponized. For instance, a caching plugin vulnerability led to the &quot;WP-SHELLSTORM&quot; crew compromising over 17,000 sites, even though that bug was already public and patched, and only worked under specific non-default configurations.<\/p>\n<p>The comparison drawn by Searchlight Cyber to a Drupal core SQL injection vulnerability patched in May, where they released a &quot;same-day teardown with two working proofs of concept,&quot; is telling. While Searchlight chose not to immediately release the technical details of wp2shell, their capability to do so, coupled with the open-source nature of WordPress, means the information could eventually become public, increasing the pressure on users to update.<\/p>\n<figure class=\"article-inline-figure\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjQl2axNwsfhbXOFynrg_uAZsvHi3OvNGSA8KJO-BKR8Xm3x7yjKV3EvfY4v5mwXx6LF0uWFb9h9d9iAV_Pi-YYhqimX9wx4OaLdDJEdR215Xrxq_PAtXkaLfQso4pTSjbj6fvh_ZTliLpzWZSZfcoZgyXtKwhN-SSDDlmbtUqGLshc0KqYQGWYHMN52Sl1\/s728-e100\/zz-d.jpg\" alt=\"New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code\" class=\"article-inline-img\" loading=\"lazy\" \/><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"Analysis_of_the_Impact\"><\/span>Analysis of the Impact<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The wp2shell vulnerability represents a significant threat due to its pre-authentication nature and the potential for Remote Code Execution. This allows attackers to potentially:<\/p>\n<ul>\n<li><strong>Deface websites:<\/strong> Alter the content and appearance of websites to spread misinformation or malicious links.<\/li>\n<li><strong>Steal sensitive data:<\/strong> Access and exfiltrate user credentials, financial information, or other confidential data stored on the website or its associated databases.<\/li>\n<li><strong>Install malware:<\/strong> Distribute malicious software to website visitors, turning the compromised site into a distribution point for further attacks.<\/li>\n<li><strong>Use websites for illicit activities:<\/strong> Leverage the compromised server for sending spam, hosting phishing pages, or participating in botnets.<\/li>\n<li><strong>Gain full server control:<\/strong> In the worst-case scenario, attackers could achieve complete control over the web server, leading to further compromise of the hosting infrastructure.<\/li>\n<\/ul>\n<p>The fact that no CVE or CVSS score was immediately assigned means that automated scanning tools and vulnerability management systems may not have immediately flagged these sites as at risk. This underscores the importance of manual verification and staying informed through reliable security news channels.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Mitigation_Strategies_for_Administrators\"><\/span>Mitigation Strategies for Administrators<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>While updating to the patched versions (6.9.5, 7.0.2, or 7.1 beta 2) is the definitive solution, Searchlight Cyber has outlined several stopgap measures for administrators who cannot update immediately. These measures focus on restricting access to the vulnerable batch endpoint:<\/p>\n<ul>\n<li><strong>Web Application Firewall (WAF) Rules:<\/strong> Implementing WAF rules to block requests to the batch endpoint (e.g., <code>\/wp-json\/wp\/v2\/batch<\/code>). This is a common and effective security measure, but requires careful configuration to avoid blocking legitimate traffic.<\/li>\n<li><strong>Server-Level Access Control:<\/strong> Configuring server-level access controls (e.g., using <code>.htaccess<\/code> or Nginx configuration) to deny access to the batch endpoint from anonymous sources. This provides a more granular level of protection but can be complex to implement correctly.<\/li>\n<li><strong>Disabling the Batch Endpoint:<\/strong> While not officially recommended by WordPress as a long-term solution, temporarily disabling the batch endpoint at the server level could be an option for highly critical situations. This approach, however, carries a significant risk of breaking legitimate WordPress functionalities that rely on this endpoint.<\/li>\n<\/ul>\n<p>It is crucial to note that these are temporary workarounds and can potentially disrupt legitimate website operations, especially for sites that integrate with other services or use plugins that leverage the REST API&#8217;s batch functionality. The primary and most recommended course of action remains applying the official security updates.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"The_Ongoing_Battle_for_Web_Security\"><\/span>The Ongoing Battle for Web Security<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The wp2shell vulnerability serves as a stark reminder of the continuous and evolving nature of cybersecurity threats. The open-source model, while immensely beneficial, necessitates a vigilant approach to security from both the core development teams and the global user base. WordPress&#8217;s swift response, including forced updates, demonstrates a commitment to user safety. However, the responsibility ultimately lies with website owners to ensure their systems are up-to-date and secure.<\/p>\n<p>As malicious actors continue to probe for weaknesses, the cybersecurity landscape demands constant vigilance, rapid patching, and robust security practices. The battle for web security is a perpetual one, and incidents like wp2shell underscore the critical need for proactive defense and informed action within the digital realm. Users are encouraged to monitor official WordPress security advisories and follow cybersecurity news outlets to stay abreast of emerging threats and recommended actions.<\/p>\n<!-- RatingBintangAjaib -->","protected":false},"excerpt":{"rendered":"<p>On July 17, 2026, WordPress, the world&#8217;s most popular content management system, addressed a critical pre-authentication Remote Code Execution (RCE) vulnerability within its core software. This flaw, discovered by Adam Kues of Assetnote, the attack surface management division of Searchlight Cyber, allowed anonymous users to execute arbitrary code on vulnerable WordPress installations with no preconditions. &hellip;<\/p>\n","protected":false},"author":23,"featured_media":6360,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[108],"tags":[609,669,1524,742,109,1273,353,1006,111,1376,110,995,2754,2753],"class_list":["post-6361","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-protection","tag-authentication","tag-code","tag-core","tag-critical","tag-cybersecurity","tag-execution","tag-exposes","tag-millions","tag-privacy","tag-remote","tag-security","tag-vulnerability","tag-websites","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/6361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6361"}],"version-history":[{"count":0,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/6361\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/media\/6360"}],"wp:attachment":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}