{"id":6407,"date":"2026-07-18T10:52:19","date_gmt":"2026-07-18T10:52:19","guid":{"rendered":"https:\/\/lockitsoft.com\/?p=6407"},"modified":"2026-07-18T10:52:19","modified_gmt":"2026-07-18T10:52:19","slug":"wordpress-core-vulnerabilities-wp2shell-enable-unauthenticated-remote-code-execution-via-chained-exploits","status":"publish","type":"post","link":"https:\/\/lockitsoft.com\/?p=6407","title":{"rendered":"WordPress Core Vulnerabilities &quot;wp2shell&quot; Enable Unauthenticated Remote Code Execution via Chained Exploits"},"content":{"rendered":"<p>An anonymous HTTP request can now execute arbitrary code on a WordPress site, a critical vulnerability that affects core functionality and requires no plugins to exploit. The bug, dubbed &quot;wp2shell,&quot; stems from a combination of two distinct flaws, both of which have now been assigned CVE identification numbers. The first, CVE-2026-63030, involves a confusion within the REST API&#8217;s batch routing mechanism, while the second, CVE-2026-60137, is a SQL injection vulnerability present in WordPress core. When chained together, these vulnerabilities allow an unauthenticated attacker to achieve remote code execution (RCE) on vulnerable systems. This widespread threat loomed over all WordPress sites running versions 6.9 and 7.0 until Friday, July 18, 2026, when WordPress proactively released security updates 6.9.5 and 7.0.2, leveraging its auto-update system to enforce patches on a significant portion of its user base.<\/p>\n<p>The gravity of this situation was amplified as the full exploitation mechanism became publicly available, and a functional proof-of-concept exploit was released on GitHub shortly after WordPress began deploying its fixes. This rapid dissemination of technical details underscores the constant race between vulnerability disclosure and patching in the cybersecurity landscape.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/lockitsoft.com\/?p=6407\/#Genesis_of_the_Vulnerability_Discovery_and_Disclosure\" >Genesis of the Vulnerability: Discovery and Disclosure<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/lockitsoft.com\/?p=6407\/#Understanding_the_Technical_Exploitation_Chain\" >Understanding the Technical Exploitation Chain<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/lockitsoft.com\/?p=6407\/#Versioning_and_Exposure_A_Divided_Threat_Landscape\" >Versioning and Exposure: A Divided Threat Landscape<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/lockitsoft.com\/?p=6407\/#Scoring_and_Severity_A_Disconnect_in_Perception\" >Scoring and Severity: A Disconnect in Perception<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/lockitsoft.com\/?p=6407\/#A_Limiting_Factor_Persistent_Object_Caching\" >A Limiting Factor: Persistent Object Caching<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/lockitsoft.com\/?p=6407\/#Official_Responses_and_Broader_Implications\" >Official Responses and Broader Implications<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/lockitsoft.com\/?p=6407\/#Mitigation_Strategies_for_Sites_Unable_to_Update_Immediately\" >Mitigation Strategies for Sites Unable to Update Immediately<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/lockitsoft.com\/?p=6407\/#The_Race_Against_Time_Patching_and_Exploitation\" >The Race Against Time: Patching and Exploitation<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"Genesis_of_the_Vulnerability_Discovery_and_Disclosure\"><\/span>Genesis of the Vulnerability: Discovery and Disclosure<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The initial discovery of the batch-route confusion vulnerability was made by Adam Kues, affiliated with Assetnote, the attack surface management division of Searchlight Cyber. Kues responsibly reported the flaw through WordPress&#8217;s established HackerOne bug bounty program. Searchlight Cyber later published a detailed write-up under the moniker &quot;wp2shell,&quot; emphasizing that the exploit carries &quot;no preconditions and can be exploited by an anonymous user.&quot; The SQL injection component, on the other hand, was reported independently by a trio of researchers: TF1T, dtro, and haongo.<\/p>\n<p>Searchlight Cyber has maintained a degree of technical reticence regarding its own in-depth analysis, opting instead to direct website owners to a dedicated checker at wp2shell.com. However, this strategic approach has been somewhat undermined by the public availability of the patch and the subsequent scrutiny by other security researchers who have effectively reverse-engineered the fix.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Understanding_the_Technical_Exploitation_Chain\"><\/span>Understanding the Technical Exploitation Chain<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The wp2shell exploit is a sophisticated two-stage attack that hinges on the interplay between the REST API batch endpoint and a specific parameter within the WP_Query class.<\/p>\n<p><strong>1. The SQL Injection (CVE-2026-60137):<\/strong> This vulnerability lies within the <code>WP_Query<\/code> class, a fundamental component of WordPress for database queries. Specifically, the <code>author__not_in<\/code> parameter is susceptible. When this parameter is provided with a string value instead of the expected array, a crucial validation check is bypassed. This allows raw, unsanitized input to be directly incorporated into SQL queries. This direct access to the database is highly dangerous, potentially allowing attackers to extract sensitive information, modify data, or even compromise the integrity of the entire database. This injection vulnerability has a broader reach, impacting WordPress versions as far back as 6.8.<\/p>\n<p><strong>2. The REST API Batch Route Confusion (CVE-2026-63030):<\/strong> This vulnerability is the key to transforming the SQL injection from a potentially authenticated attack vector into a fully unauthenticated remote code execution. The <code>\/wp-json\/batch\/v1<\/code> route in WordPress&#8217;s REST API is designed to process multiple sub-requests within a single HTTP call. It manages these requests using two parallel arrays. However, an error in the handling of one sub-request can cause these arrays to fall out of synchronization by one element. This desynchronization is critical: it means a subsequent request, intended for one handler, might instead be processed by a different handler.<\/p>\n<p>When an attacker crafts a malicious request targeting the batch endpoint, they can leverage this confusion to bypass the endpoint&#8217;s allow-list and ensure their input, containing the crafted SQL injection payload, reaches the vulnerable <code>WP_Query<\/code> parameter. This bypass is the crucial step that removes the authentication requirement, enabling anonymous exploitation. The batch endpoint itself has been part of WordPress core since version 5.6, released in November 2020. However, the specific confusion that allows for this abuse is a more recent addition, present only in WordPress version 6.9 and later.<\/p>\n<figure class=\"article-inline-figure\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiRULLT1q8L6AtUB7jgKywi_KSF8VGKkOF9yC3Snt81K1aD2XSEV1jgfIe331rXUWGqhmAyFgr1USssr4_CQmuE7HLAn0ShaQ0pHY_yvNYMjQdHtpV8i-vlk2ickhJSJDSN3amGox_DMR5hemMlrgXIk8kHoHlYKZncjpiV3ibF77ax1Yn0fEjxtgxy7tY\/s1700-e365\/wordpress-core.jpg\" alt=\"New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code\" class=\"article-inline-img\" loading=\"lazy\" \/><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"Versioning_and_Exposure_A_Divided_Threat_Landscape\"><\/span>Versioning and Exposure: A Divided Threat Landscape<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The differing version ranges affected by each component of the wp2shell vulnerability create a nuanced picture of exposure:<\/p>\n<ul>\n<li><strong>WordPress versions 6.8.x:<\/strong> These versions are vulnerable to the SQL injection (CVE-2026-60137) alone. While this is a serious security concern, it does not, by itself, lead to unauthenticated RCE. WordPress 6.8.6 specifically addresses this injection vulnerability.<\/li>\n<li><strong>WordPress versions 6.9.x:<\/strong> These versions are vulnerable to both the SQL injection and the batch-route confusion. This combination is what enables the unauthenticated RCE. The batch-route confusion was introduced in version 6.9.<\/li>\n<li><strong>WordPress versions 7.0.x:<\/strong> Similar to version 6.9, these versions are also susceptible to the chained exploit.<\/li>\n<\/ul>\n<p>WordPress security update 6.9.5 and 7.0.2, released on Friday, July 18, 2026, address both vulnerabilities. The development team has confirmed that version 7.1 beta2 also incorporates these critical fixes. The decision to enable &quot;forced updates&quot; via the auto-update system is a significant measure, aiming to rapidly patch as many vulnerable sites as possible before attackers can fully weaponize the publicly available exploit details.<\/p>\n<p>The full install base of WordPress is estimated to be over 500 million websites. However, the RCE chain is only present from version 6.9 onwards, which was released on December 2, 2025. This means that any site exposed to the code-execution path is running a release that is less than eight months old. The exact number of sites running these vulnerable versions remains unconfirmed by official advisories.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Scoring_and_Severity_A_Disconnect_in_Perception\"><\/span>Scoring and Severity: A Disconnect in Perception<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The official WordPress security advisory rates the complete RCE chain as &quot;Critical.&quot; However, the Common Vulnerabilities and Exposures (CVE) record for the combined exploit assigns a score of 7.5, categorized as &quot;High.&quot; This discrepancy highlights a potential underestimation of the RCE&#8217;s impact, as the CVE metrics primarily credit data access rather than the full extent of integrity and availability loss typically associated with code execution.<\/p>\n<p>The SQL injection vulnerability itself, when considered in isolation, receives a higher score, exceeding 9.1, also designated as &quot;Critical.&quot; This scoring emphasizes the direct database access and manipulation capabilities of the injection. Security experts urge administrators to track both CVEs individually rather than relying solely on the broad &quot;critical RCE&quot; label. The underlying technical details and the potential for exploitation should be the primary focus, as the scoring system may not fully capture the real-world risk.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"A_Limiting_Factor_Persistent_Object_Caching\"><\/span>A Limiting Factor: Persistent Object Caching<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A notable condition that can mitigate the risk of the RCE path is the presence of a persistent object cache, such as Redis or Memcached. According to analysis from Cloudflare, which has also released Web Application Firewall (WAF) rules to counter the exploit, the code-execution path specifically fails when a site is actively using such a caching mechanism. A default WordPress installation, which typically lacks a persistent object cache, therefore remains fully exposed to this RCE vector.<\/p>\n<p>It is crucial to understand that while persistent object caching may prevent the RCE exploit, it does not protect against the underlying SQL injection vulnerability (CVE-2026-60137). Therefore, even sites employing object caching are still at risk of data compromise or manipulation.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Official_Responses_and_Broader_Implications\"><\/span>Official Responses and Broader Implications<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The WordPress security team&#8217;s swift action in releasing patches and enabling forced updates demonstrates a commitment to addressing critical vulnerabilities. However, the question remains whether these forced updates will reach sites where administrators have explicitly disabled the auto-update functionality. Website owners are strongly advised to verify their current WordPress version rather than assuming the patch has been automatically applied.<\/p>\n<p>As of July 18, 2026, the exploit has not been added to the Cybersecurity and Infrastructure Security Agency&#8217;s (CISA) Known Exploited Vulnerabilities (KEV) catalog, which requires confirmed exploitation in the wild. No exploitation incidents have been publicly reported yet. However, this lack of immediate reporting does not diminish the threat, especially given the public availability of the exploit.<\/p>\n<figure class=\"article-inline-figure\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjQl2axNwsfhbXOFynrg_uAZsvHi3OvNGSA8KJO-BKR8Xm3x7yjKV3EvfY4v5mwXx6LF0uWFb9h9d9iAV_Pi-YYhqimX9wx4OaLdDJEdR215Xrxq_PAtXkaLfQso4pTSjbj6fvh_ZTliLpzWZSZfcoZgyXtKwhN-SSDDlmbtUqGLshc0KqYQGWYHMN52Sl1\/s728-e100\/zz-d.jpg\" alt=\"New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code\" class=\"article-inline-img\" loading=\"lazy\" \/><\/figure>\n<p>The cybersecurity industry is well aware of the potential for mass exploitation of WordPress. Previously, a flaw in a caching plugin led to the WP-SHELLSTORM campaign, compromising over 17,000 sites. That exploit targeted a non-default setting, was publicly known, and had already been patched. The wp2shell vulnerability, in contrast, affects the core software, works on default configurations, and is now publicly disclosed with a working exploit.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Mitigation_Strategies_for_Sites_Unable_to_Update_Immediately\"><\/span>Mitigation Strategies for Sites Unable to Update Immediately<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>For administrators who cannot immediately update their WordPress installations, Searchlight Cyber has outlined several temporary mitigation strategies. These measures primarily focus on restricting access to the batch endpoint, thereby preventing anonymous callers from triggering the exploit chain. However, it is important to note that these are stopgap solutions and may inadvertently break legitimate integrations or functionalities.<\/p>\n<p>These mitigation strategies include:<\/p>\n<ul>\n<li><strong>Web Application Firewall (WAF) Rules:<\/strong> Implementing WAF rules specifically designed to block or challenge requests to the <code>\/wp-json\/batch\/v1<\/code> endpoint.<\/li>\n<li><strong>Access Control Lists (ACLs):<\/strong> Configuring server-level ACLs to deny access to the batch endpoint from untrusted IP addresses.<\/li>\n<li><strong>Plugin-Based Restrictions:<\/strong> Utilizing security plugins that offer granular control over REST API endpoints and can be configured to block access to the batch route.<\/li>\n<\/ul>\n<p>These measures serve as temporary shields until a permanent solution, the software update, can be applied.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"The_Race_Against_Time_Patching_and_Exploitation\"><\/span>The Race Against Time: Patching and Exploitation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The open-source nature of WordPress means that its code is publicly available, and release notes often detail the files that have been modified. While Searchlight Cyber initially withheld its full technical write-up, the release of the patch itself provided enough information for other researchers to reconstruct the exploit mechanism and publish proof-of-concept code. This scenario highlights a fundamental challenge in software security: it is often impossible to ship a fix without also providing a roadmap to the vulnerability.<\/p>\n<p>The only effective lever remaining is the speed at which the patch can be deployed to the global user base. WordPress&#8217;s decision to enforce updates through its auto-update system on Friday was a forceful attempt to close this window of opportunity for attackers.<\/p>\n<p>Now, with the exploit publicly available and updates still rolling out, the cybersecurity community will be closely watching two key metrics: WordPress&#8217;s version statistics to gauge the adoption rate of the patch, and network traffic analysis for the <code>\/wp-json\/batch\/v1<\/code> endpoint to identify attackers actively scanning for vulnerable sites. The relative steepness of these two curves will ultimately determine how this critical vulnerability, wp2shell, is remembered in the annals of cybersecurity. The continued vigilance of website administrators and security professionals is paramount in mitigating the potential fallout from this significant security threat.<\/p>\n<!-- RatingBintangAjaib -->","protected":false},"excerpt":{"rendered":"<p>An anonymous HTTP request can now execute arbitrary code on a WordPress site, a critical vulnerability that affects core functionality and requires no plugins to exploit. The bug, dubbed &quot;wp2shell,&quot; stems from a combination of two distinct flaws, both of which have now been assigned CVE identification numbers. The first, CVE-2026-63030, involves a confusion within &hellip;<\/p>\n","protected":false},"author":23,"featured_media":6406,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[108],"tags":[2808,669,1524,109,2806,1273,603,111,1376,110,2805,2807,365,2753],"class_list":["post-6407","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-protection","tag-chained","tag-code","tag-core","tag-cybersecurity","tag-enable","tag-execution","tag-exploits","tag-privacy","tag-remote","tag-security","tag-shell","tag-unauthenticated","tag-vulnerabilities","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/6407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6407"}],"version-history":[{"count":0,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/6407\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/media\/6406"}],"wp:attachment":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6407"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6407"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}