Public proof-of-concept exploits for a critical pair of remote code execution vulnerabilities in WordPress Core — collectively dubbed "wp2shell" — have been released, with at least one security firm reporting early signs of in-the-wild exploitation as of July 18, 2026.
The wp2shell attack chains two independently tracked flaws, CVE-2026-63030 and CVE-2026-60137, that can be combined to achieve pre-authentication remote code execution against default WordPress installations running versions 6.9.x and 7.0.x, with no plugins required and no preconditions for the attacker.
The vulnerabilities were discovered by Adam Kues of Searchlight Cyber, which disclosed that an unauthenticated attacker can exploit them against a stock WordPress install.
"Searchlight Cyber's security research team has discovered a pre-authentication RCE in WordPress Core," the firm said. "The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins."
The first flaw, CVE-2026-63030, is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. The second, CVE-2026-60137, is a SQL injection flaw in the 'author__not_in' parameter of 'WP_Query', affecting WordPress 6.8 and later. The SQL injection issue affects versions as far back as 6.8.0, but the full RCE chain requires the REST API bug added in 6.9, meaning the complete attack applies to WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1.
Searchlight Cyber estimates that more than 500 million websites run WordPress, giving the vulnerability a potentially broad reach — particularly now that public exploits are available.
Some publicly released proof-of-concept code combines both vulnerabilities to extract WordPress password hashes via SQL injection, crack an administrator password, upload a malicious plugin, and execute commands. Other exploits claim to achieve pre-authentication remote code execution without requiring administrator credentials at all, consistent with Searchlight Cyber's description of the attack chain.
Security firm watchTowr confirmed it has already observed in-the-wild exploitation following the public release of those exploits.
"WordPress gets a bad rap for security. But the reality is that a highly impactful, unauthenticated SQL injection or remote code execution vulnerability in WordPress core is actually fairly rare," watchTowr CEO Benjamin Harris told BleepingComputer via email. "That is exactly what makes this one different, and why everyone is scrambling to patch before widespread exploitation takes hold."
The WordPress security team has responded by enabling forced automatic updates for supported installations running affected versions, directing site owners to update to WordPress 7.0.2 or 6.9.5 immediately.
"Because this is a security release, it is recommended that you update your sites immediately," WordPress said in its security announcement. "Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions."
Cloudflare separately announced it has deployed Web Application Firewall protections for both CVEs across all plans, including free accounts, for sites proxied through its platform. The company was clear that WAF coverage is not a substitute for patching.
"WAF protections reduce exposure while customers update, but they are not a substitute for patching," Cloudflare said.
For organizations unable to immediately apply patches, Searchlight Cyber recommends either installing a plugin that blocks anonymous access to the REST API entirely, or blocking the /wp-json/batch/v1 and ?rest_route=/batch/v1 endpoints at the WAF level — cautioning that either measure should be treated as temporary until a full update is applied. The firm has also launched wp2shell.com, a site that allows administrators to test whether their installations remain vulnerable.
With active exploitation now being reported and multiple exploit variants circulating publicly on GitHub, the window for administrators to patch without incident is narrowing quickly.
Disclaimer