GBHackers

Critical WordPress Core Flaw Lets Anonymous Hackers Gain Remote Code Execution


A newly disclosed a pre-authentication remote code execution (RCE) vulnerability in WordPress Core, dubbed “wp2shell,” that requires no authentication and affects stock WordPress installations with zero plugins installed. Given that WordPress powers an estimated 500 million websites globally.

The flaw represents one of the most significant CMS security disclosures in recent memory. The issue stems from a REST API batch-route confusion combined with a SQL injection flaw that together enable full RCE.

Critical WordPress Core Flaw

Researcher Adam Kues of Assetnote identified and reported the vulnerability, which has now been assigned CVE-2026-63030 (GHSA-ff9f-jf42-662q). A second, related SQL injection issue reported by TF1T, dtro, and haongo was assigned CVE-2026-60137 (GHSA-fpp7-x2x2-2mjf).

Because exploitation requires no preconditions and no valid credentials, any anonymous attacker can compromise a vulnerable site out of the box.

Searchlight Cyber has withheld technical exploitation details to give site owners time to patch, but has released a public scanner at wp2shell[.]com so administrators can check exposure without needing deep technical expertise.

Affected Versions
  • WordPress ≤6.8.5: not affected by the RCE chain (6.8.x affected only by CVE-2026-60137).
  • WordPress 6.9.0–6.9.4: affected by both vulnerabilities.
  • WordPress 7.0.0–7.0.1: affected by both vulnerabilities.
  • WordPress 7.1 beta releases: affected; fixed in 7.1 beta2.

Patches and Mitigation

The WordPress security team responded with version 7.0.2, addressing one critical and one high-severity issue. Backport releases include 6.9.5 and 6.8.6.

Due to the severity of the RCE, WordPress has enabled forced auto-updates for sites running affected versions, though administrators are urged to verify updates manually.

Site owners can update via the WordPress Dashboard under Updates → Update Now, or download the release directly from WordPress.org.

For environments where immediate patching isn’t feasible, Searchlight Cyber recommends temporary mitigations:

  • Install a plugin that blocks anonymous access to the REST API entirely
  • Block /wp-json/batch/v1 and ?rest_route=/batch/v1 at the WAF level

These measures may disrupt legitimate REST API functionality and should be treated strictly as emergency stopgaps until a full update can be applied.

Combined with WordPress’s massive installed base, wp2shell has the potential for widespread automated exploitation once technical details become public or are reverse-engineered from patch diffs.

Security teams and site administrators are strongly advised to update immediately, verify patch status using the wp2shell[.]com tool, and monitor logs for suspicious REST API batch requests targeting /wp-json/batch/v1.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link