A critical pre-authentication remote code execution (RCE) vulnerability dubbed “wp2shell” has been discovered in WordPress Core, putting an estimated 500 million+ websites at risk of full takeover by unauthenticated attackers.
Security researcher Adam Kues of Searchlight Cyber’s Assetnote research team uncovered the flaw, which stems from a REST API batch-route confusion issue that leads to SQL injection and, ultimately, remote code execution.
What makes this bug especially dangerous is that it requires no preconditions and can be exploited by a completely anonymous, unauthenticated user against a stock WordPress installation with zero plugins installed.
wp2shell RCE Vulnerability
In practical terms, an attacker doesn’t need a login, a vulnerable plugin, or any special site configuration to compromise a target — just a reachable WordPress instance running an affected version.
Given the severity of the bug, Searchlight Cyber withheld technical exploit details to give site owners time to patch, while releasing a free public scanner at wp2shell[.]com so administrators can check whether their site is vulnerable.
Which WordPress Versions Are Affected
The vulnerability impacts a specific band of WordPress Core releases, tracked under two CVE identifiers: CVE-2026-60137 (also covering a separate SQL injection issue) and CVE-2026-63030, the batch-route RCE flaw reported by Kues.
| WordPress version range | Status |
|---|---|
| 6.8.5 and earlier | Not affected |
| 6.9.0 – 6.9.4 | Affected |
| 7.0.0 – 7.0.1 | Affected |
| 7.1 beta (pre-release) | Affected |
Notably, the WordPress 6.8 branch is only affected by the SQL injection component (CVE-2026-60137), not the RCE chain, and a fix has been backported to version 6.8.6.
WordPress.org has shipped version 7.0.2, along with backported fixes in 6.9.5 and 6.8.6, addressing both the critical RCE issue and a high-severity SQL injection flaw. Because of the severity, the WordPress.org team has taken the unusual step of force-pushing this update via the auto-update system to all sites running affected versions, rather than waiting for administrators to act manually.
Site owners can also update manually through the WordPress Dashboard by navigating to Updates and clicking “Update Now,” or by downloading the release directly from WordPress.org.
The security team credited three researchers TF1T, dtro, and haongo for jointly reporting the SQL injection issue, alongside Adam Kues for identifying the REST API batch-route RCE chain.
For administrators who cannot immediately update, Searchlight Cyber recommends emergency stopgap measures, though these may disrupt legitimate site functionality:
- Install a plugin that blocks anonymous access to the REST API entirely
- Block the
/wp-json/batch/v1and?rest_route=/batch/v1endpoints at the WAF level - Treat both options as temporary only, until the official patch is applied
Given the scale of WordPress’s install base and the zero-click, no-plugin-required nature of this exploit, security teams are urging immediate patching over reliance on workarounds.