Published on July 18, 2026

Critical WordPress Core Flaw Could Allow Unauthenticated Attackers to Execute Remote Code


Severity
Critical

Detail

WordPress has released versions 6.9.5 and 7.0.2 to address a critical pre-authentication remote code execution (RCE) vulnerability, known as wp2shell, affecting WordPress Core. The vulnerability allows an anonymous attacker to execute arbitrary code on a vulnerable WordPress installation without authentication, user interaction, or the presence of third-party plugins.

According to the published advisories, the attack targets WordPress installations by chaining two vulnerabilities CVE-2026-63030, a REST API batch-route confusion vulnerability, and CVE-2026-60137, a SQL injection vulnerability in WordPress Core. Together, these flaws enable unauthenticated remote code execution on affected versions.

The vulnerability was discovered by Searchlight Cyber and responsibly disclosed through WordPress’s HackerOne program. To help protect users, WordPress has released security updates and initiated forced automatic updates for supported installations. However, organizations should verify that their WordPress instances have been successfully updated, particularly if automatic updates have been disabled.

At the time of publication, no information confirming active exploitation in the wild was provided.

CVE IDCVE ID
Summary
CVSS Score
CVE-2026-63030A REST API batch-route confusion vulnerability in WordPress Core that can be chained with CVE-2026-60137 to achieve unauthenticated remote code execution9.8 (Critical)
CVE-2026-60137A SQL injection vulnerability in WordPress Core when combined with CVE-2026-63030, enables unauthenticated remote code execution.5.9 (Medium)

Affected Products

The vulnerabilities affect the following WordPress Core versions:

  • WordPress 6.9.0 through 6.9.4 (fixed in 6.9.5).
  • WordPress 7.0.0 through 7.0.1 (fixed in 7.0.2).

Recommendation

Organizations and website administrators are strongly advised to take the following actions to reduce the risk of exploitation:

  • Upgrade WordPress Core to version 6.9.5, 7.0.2, or later.
  • Verify that WordPress installations have successfully received the latest security updates, especially if automatic updates have been disabled.
  • Prioritize patching internet-facing WordPress websites running affected versions.
  • Continue monitoring official WordPress security advisories for additional guidance and future updates.

Source
http://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662q
https://nvd.nist.gov/vuln/detail/CVE-2026-63030
https://nvd.nist.gov/vuln/detail/CVE-2026-60137
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fpp7-x2x2-2mjf
https://thehackernews.com/2026/07/new-wp2shell-wordpress-core-flaw-lets.html