New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
Jul 17, 2026
Vulnerability / Web Security
Updated July 18, 2026: the two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it. An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system. wp2shell is two bugs, not one, and both now carry CVE IDs. CVE-2026-63030 is the REST API batch-route confusion; CVE-2026-60137 is a SQL injection in WordPress core. Chained, they take an anonymous request all the way to code execution. Since Friday, the full mechanism has been published, and a working proof-of-concept has gone up on GitHub. Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, found the batch-route bug and reported it throug...