A critical WordPress Core RCE lets attackers skip the login screen entirely — patch now if you haven't
Picture this: a WordPress site with no plugins installed, no weak passwords, no misconfigured permissions — the kind of "boring, default" setup that most security checklists would wave through. On July 17, 2026, that same boring default setup turned out to be exploitable by a complete stranger on the internet, with no account and no user interaction required. That's the story behind wp2shell, a critical remote code execution (RCE) vulnerability chain now patched in WordPress Core.
If you run, manage, or secure WordPress sites — and given that WordPress powers an estimated 500 million+ websites worldwide, there's a good chance you do — this is not a "read it later" advisory. This is a "check your version right now" advisory.
Table of Contents
- What Happened: The wp2shell Disclosure
- How wp2shell Actually Works
- Which WordPress Versions Are Affected
- Real-World Attack Scenario
- Indicators of Compromise & What to Watch For
- Detection & Prevention Techniques
- Expert Tips for SOC Teams & Site Owners
- Related Articles
- FAQ
- Conclusion
What Happened: The wp2shell Disclosure
On July 17, 2026, the WordPress security team shipped emergency releases — versions 7.0.2, 6.9.5, and 6.8.6 — to close a critical vulnerability chain nicknamed "wp2shell." The name is blunt about the impact: an unauthenticated attacker can go from zero access to shell-level control on a stock WordPress install.
The flaw was found by security researcher Adam Kues of Assetnote, the research arm of Searchlight Cyber, who reported it responsibly through WordPress's HackerOne program. A related SQL injection issue was reported separately by researchers TF1T, dtro, and haongo. Because of the severity, Searchlight Cyber withheld full technical exploit details and instead published a free public scanner at wp2shell.com so administrators could check their exposure without waiting for a patch cycle.
What makes this different from the usual "critical plugin vulnerability" headline is that it lives in WordPress Core itself — not a third-party plugin or theme. That means the attack surface isn't determined by what extensions you've installed. If your core version falls in the affected range, you're exposed by default.
How wp2shell Actually Works
wp2shell isn't a single bug — it's a two-vulnerability chain, tracked under two CVE identifiers:
| CVE | Type | Description |
|---|---|---|
| CVE-2026-60137 | SQL Injection | Unauthenticated SQL injection in the author__not_in parameter of the internal WP_Query class. Present since WordPress 6.8. |
| CVE-2026-63030 | REST API Route Confusion | A batch-route confusion bug in the /wp-json/batch/v1 endpoint that lets an unauthenticated request reach functionality normally restricted to logged-in users. Affects 6.9 and later. |
Here's the logical chain, as described by researchers analyzing the disclosure: the SQL injection in WP_Query is normally gated behind an authentication check. The batch-route confusion bug effectively bypasses that gate, letting an anonymous request reach the vulnerable query path. From there, an attacker can query the database directly — including tables holding admin password hashes.
Once an attacker has a hash, the path to full compromise is a familiar one: crack or brute-force the hash offline, log in as an administrator, and upload a webshell through the standard theme/plugin editor or file upload functionality that admins have legitimate access to. At that point, it's game over for the site — the attacker has code execution with whatever permissions the web server process holds.
It's worth being precise here: independent researchers analyzing the patch noted they had not identified a single-request "straight shot" to code execution. The practical chain runs through credential theft first, then abuse of legitimate admin functionality — which is arguably just as dangerous, since it doesn't rely on a single exotic exploit primitive that's easy to signature.
Which WordPress Versions Are Affected
| WordPress Version Range | Vulnerability Exposure | Fixed In |
|---|---|---|
6.8.x and earlier (down to when WP_Query param was introduced) | SQL injection only (CVE-2026-60137) — not the full RCE chain | 6.8.6 |
| 6.9.0 – 6.9.4 | Both vulnerabilities — full RCE chain possible | 6.9.5 |
| 7.0.0 – 7.0.1 | Both vulnerabilities — full RCE chain possible | 7.0.2 |
Because of the severity, the WordPress.org team took the unusual step of force-pushing this update through the auto-update system to all sites running affected versions, rather than waiting for administrators to click "Update Now." That's not something WordPress does lightly — it's reserved for scenarios where the risk of an unpatched site outweighs the risk of an unattended, automatic core update.
Real-World Attack Scenario
Imagine a mid-sized e-commerce business running a stock WordPress 6.9.3 install with WooCommerce and a handful of marketing plugins. There's nothing unusual about their setup — patched plugins, strong admin passwords, a WAF sitting in front for good measure against known plugin CVEs.
An attacker scanning the internet for exposed WordPress instances doesn't need to know anything about this store's plugins. They send a single crafted request to /wp-json/batch/v1, exploiting the route confusion to reach the SQL injection in WP_Query. Within minutes, they've exfiltrated the wp_users table, including the hashed admin password. Offline cracking — especially against weaker hashing configurations or reused passwords — hands them valid admin credentials. From the dashboard, they upload a malicious plugin or edit an existing theme file to drop a webshell.
The business never sees a failed login attempt, never gets a brute-force alert, and never has a plugin vulnerability to patch. Their WAF, tuned for known plugin exploits, doesn't recognize a REST API batch request as malicious because, structurally, it looks like normal API traffic. This is exactly why core-level, pre-auth chains like wp2shell are disproportionately dangerous compared to plugin bugs — they bypass the mental model most site owners use to think about risk.
Indicators of Compromise & What to Watch For
Since Searchlight Cyber deliberately withheld the exact exploit payload to slow down attacker adoption, published IOCs are necessarily high-level. Security teams should watch access and application logs for:
- Anonymous (unauthenticated) requests to
/wp-json/batch/v1or URLs using?rest_route=/batch/v1 - Batch requests containing nested references to
author__not_inor otherWP_Queryparameters with unusual characters (quotes, SQL keywords, encoded payloads) - Unexpected admin logins from unfamiliar IP addresses shortly after unusual REST API activity
- New or modified files in
wp-content/themes/orwp-content/plugins/that don't correspond to a legitimate update or install - Unexpected plugin installs performed outside your normal change window
If you find any of the above and your site was running an affected version before patching, treat it as a potential compromise, not just a vulnerability — see the remediation steps below.
Detection & Prevention Techniques
1. Patch first — it's the only complete fix
Update to WordPress 7.0.2, 6.9.5, or 6.8.6 depending on your branch. Don't assume the forced auto-update succeeded — verify manually.
Dashboard → Updates → Update Now
Or check your current version directly from the command line if you manage the server yourself:
wp core version
This WP-CLI command prints the installed WordPress version so you can confirm the patch actually landed, rather than trusting the dashboard banner alone.
2. If you can't patch immediately, apply temporary stopgaps
Security researchers stress these are temporary only, and may break legitimate REST API functionality for themes, plugins, or the block editor:
- Install a plugin that blocks anonymous access to the REST API entirely
- Block the
/wp-json/batch/v1and?rest_route=/batch/v1endpoints at the WAF or reverse-proxy level
Example Nginx-level block (test thoroughly in staging first — this can break legitimate Gutenberg/editor functionality that relies on the batch endpoint):
location ~* ^/wp-json/batch/v1 {
deny all;
return 403;
}
Warning: disabling the batch REST route is a stopgap, not a fix. Some core WordPress features and plugins rely on it. Remove this rule once you've confirmed the core update is applied.
3. Confirm the patch with the public scanner
Searchlight Cyber published a free checker at wp2shell.com that tells you whether your installation is still vulnerable. Running this after patching is a good sanity check before you close the incident ticket.
4. Rotate credentials if compromise is suspected
Because the exploit chain's endpoint is credential theft, patch first, then rotate all admin passwords and API keys, and force logout of all active sessions:
wp user list --role=administrator
wp user update <user_id> --user_pass=<new_strong_password>
This forces a new password for a specific administrator account by ID — use it for every admin account if you have any reason to believe the database was queried before patching.
5. Review for backdoors
Scan wp-content/themes and wp-content/plugins for unexpected file modifications, and compare installed plugins against your known-good inventory. A file integrity monitoring tool or malware scanner plugin can help automate this going forward.
Expert Tips for SOC Teams & Site Owners
- Don't assume "no plugins, no risk." This incident is a reminder that core CMS code is just as much an attack surface as third-party extensions — sometimes more, because it's universal across every install.
- Treat forced auto-updates as a severity signal. WordPress rarely force-pushes updates. When it does, prioritize verification over trust — confirm the version landed instead of assuming the background job ran cleanly.
- Tune WAF rules for behavior, not just known payloads. Signature-based rules built for plugin CVEs often miss core API abuse because the traffic looks structurally normal. Anomaly-based rate limiting on REST API endpoints adds a layer that payload-based detection misses.
- Watch for the "quiet" compromise pattern. This chain doesn't trigger brute-force alerts. Credential-theft-then-legitimate-login is much harder to detect than repeated failed logins — build detections around unusual admin login timing and geography, not just failure counts.
- Keep an eye on exploitation reporting. Multiple researchers have already reported proof-of-concept exploits circulating and early signs of in-the-wild exploitation within 24 hours of disclosure — patch urgency compounds fast on bugs like this.
Related Cybersecurity Topics You Should Explore
- TP-Link Camera Flaw Lets Hackers on Your Wi-Fi Steal Admin Access
- Microsoft's Biggest Patch Tuesday Ever: 570 Bugs, 3 Zero-Days Exploited
- SonicWall SMA1000 Under Attack — Critical CVSS 10.0 Flaw Exposed
- Why SOC Analysts Run 'Tree' Before Anything Else
- This One Linux Command Exposed a Hacker's Fake Timestamps
- locate Command in Linux: Small Tool, Big Security Implications
- The Linux find Command: A SOC Analyst's Guide to Hunting Hackers
- mv Command Guide: How SOC Analysts Use It Safely (2026)
- I Found a Hacker Hiding in a Single Linux cp Command
FAQ
Q: Is my WordPress site vulnerable to wp2shell?
A: Only if you're running WordPress 6.9.0–6.9.4 or 7.0.0–7.0.1 for the full RCE chain, or any version prior to 6.8.6 for the standalone SQL injection component. Check your version and update immediately if it falls in these ranges.
Q: Do I need any plugins installed to be at risk?
A: No. This is a core WordPress vulnerability that affects stock installations with zero plugins, which is what makes it especially concerning.
Q: Will updating WordPress automatically fix this?
A: WordPress has enabled forced automatic updates for affected sites, but you should still verify manually that your installed version shows 7.0.2, 6.9.5, or 6.8.6, rather than assuming the background update completed successfully.
Q: Is there a public exploit available?
A: The original researchers withheld full technical details to give site owners time to patch. However, multiple security firms have reported seeing proof-of-concept exploits and early indicators of in-the-wild exploitation within a day of disclosure, so treat this as actively weaponized.
Q: What should I do if I think I've already been compromised?
A: Patch first, then rotate all administrator credentials and API keys, force logout of active sessions, and audit your themes and plugins directories for unauthorized files or modifications.
Q: Are managed WordPress hosts (like WP Engine or Kinsey/Kinsta) affected?
A: Check with your specific host directly — many managed hosting providers apply core security patches on behalf of customers faster than self-managed installs, but this should never be assumed without confirmation.
Conclusion
wp2shell is a reminder that "default and unmodified" doesn't mean "low risk" — sometimes it means the opposite, since a core vulnerability affects every single install in the same way, with no plugin variance to slow attackers down. The good news is that WordPress moved fast: patches shipped the same day the advisory went public, and forced auto-updates are already rolling out to affected sites.
The bad news is that researchers are already seeing proof-of-concept exploits and early in-the-wild activity. If you manage even one WordPress site, this is worth five minutes of your day right now: check the version, confirm the patch applied, and run the public scanner to be sure.
Have you checked your WordPress version yet? Share this article with your team, drop your questions in the comments, and subscribe for the next breaking vulnerability breakdown before it hits the headlines.







