Sat, 18 Jul
34°C

New Delhi

Partly Cloudy
Feels Like
38°C
Humidity
62%
Wind Speed
14 km/h
Visibility
8 km
UV Index
8 (Moderate)
Pressure
1008 hPa
Hourly Forecast
22:00
34°C
20%
23:00
34°C
25%
0:00
33°C
30%
1:00
33°C
35%
2:00
32°C
40%
3:00
32°C
45%
7-Day Forecast
Today
Partly Cloudy
26°C
35°C
Sat
Partly Cloudy
26°C
35°C
Sun
Partly Cloudy
26°C
35°C
Mon
Partly Cloudy
26°C
34°C
Tue
Partly Cloudy
27°C
34°C
Wed
Partly Cloudy
27°C
34°C
Thu
Partly Cloudy
27°C
33°C
Daily News Insights LogoDaily News Insights Logo
BREAKING
Daily News Insights: AI-Powered News Platform — Updated On DemandBreaking coverage from India and the world, synthesized by Gemini 1.5 FlashLive pipeline: Firecrawl extraction • Supabase storage • Upstash caching
Home/Tech

Critical WordPress wp2shell Flaw Allows Unauthenticated Remote Code Execution on Millions of Sites

DNI
Daily News Insights Editorial Desk
SATURDAY, 18 JULY 2026 AT 06:30 AM·4 MIN READ
Critical WordPress wp2shell Flaw Allows Unauthenticated Remote Code Execution on Millions of Sites
IMAGE: DAILY NEWS INSIGHTS / NEWS DATA LABS

DNI SUMMARY — KEY POINTS

  • A critical unauthenticated remote code execution vulnerability, dubbed wp2shell, allows anonymous attackers to run malicious code on standard WordPress installations without any plugins.
  • The vulnerability chain consists of two distinct flaws, specifically a SQL injection and a REST API batch-route confusion, which together facilitate complete server compromise.
  • WordPress responded to the severity of the threat by deploying emergency updates in versions 7.0.2 and 6.9.5 while forcing auto-updates for many users.
  • Researchers from Assetnote and Searchlight Cyber identified the flaw, leading to an urgent security advisory and the release of testing tools for administrators.
  • Organizations are advised to verify their site versions immediately, as relying on automated update mechanisms might not guarantee protection for every individual installation.
IN-DEPTH ANALYSIS
TechBusiness

Security teams are currently scrambling to remediate a severe vulnerability known as wp2shell that targets the very heart of the WordPress ecosystem. This critical flaw allows an unauthenticated attacker to execute arbitrary code on a server without needing a single plugin, effectively bypassing standard security barriers found in a default installation. By chaining two separate vulnerabilities, attackers can achieve total control over affected websites, making this one of the most dangerous exploits to hit the platform in recent memory. The industry is on high alert as the technical details of the attack continue to circulate among security professionals and threat actors alike.

The Anatomy of Exposure

The core of this vulnerability lies in a dangerous combination of two distinct software flaws. The first, identified as CVE-2026-60137, is a potent SQL injection found within the author__not_in parameter of the primary database query class. When paired with the second flaw, CVE-2026-63030, which involves a complex REST API batch-route confusion, the result is a bridge that leads directly to remote code execution. This chain permits an anonymous user to send a specially crafted HTTP request that triggers the exploitation process, entirely circumventing the need for valid administrative credentials or specific site configurations.

WordPress acted with rare urgency following the discovery, pushing out forced updates to millions of sites to neutralize the threat. Versions 7.0.2 and 6.9.5 were released as emergency patches specifically designed to close these security gaps before they could be widely leveraged by malicious entities. While the automated update system is a powerful tool for global security, administrators are still urged to manually verify their environment. Relying on an assumption that a background process handled the patch could leave a site exposed to persistent threats from automated scanning tools currently crawling the web.

The wp2shell vulnerability allows an anonymous user to achieve remote code execution on a stock WordPress installation without requiring any plugins.

Security Response and Patching

Security researchers from Assetnote and Searchlight Cyber were instrumental in bringing this dangerous oversight to light through the official bug bounty program. By reporting the batch-route confusion and SQL injection through proper channels, they provided the vendor with the necessary time to develop a fix. Despite the official patch, the emergence of a proof-of-concept on public code repositories has significantly increased the risk for slower organizations. The industry remains wary of the potential for in-the-wild exploitation, emphasizing the necessity of immediate patching cycles for all web-facing infrastructure.

The sheer scale of the WordPress user base presents a massive surface for potential exploitation, with hundreds of millions of sites potentially running the software. Because the vulnerable code path exists in versions as recent as 6.9 and 7.0, a significant portion of the active web is theoretically at risk. The architectural flaw stems from how the REST API processes batch requests, a feature that has been present for years but only recently became the target of such a sophisticated, multi-stage attack. Defenders must now rethink how they manage API access to prevent similar future incidents.

Scope of the Vulnerability

Mitigation steps for those unable to apply the official update immediately include rigorous network-level filtering and temporary configurations. Implementing a Web Application Firewall, or WAF, to block requests targeting the specific batch endpoint is a common defensive posture, although such measures can occasionally interfere with legitimate traffic. Security analysts recommend that these methods be treated purely as stopgap measures until the core software is updated. Keeping the underlying system patched is the only path toward maintaining long-term integrity against evolving threats targeting the application layer.

CVE-2026-60137 is a critical SQL injection vulnerability in the WP_Query class that has been actively exploited as part of the attack chain.

The incident underscores a broader trend where even foundational components of popular open-source software are prone to critical, unauthenticated vulnerabilities. Developers and site administrators must recognize that a stock, plugin-free installation is no longer a guarantee of safety against sophisticated SQL injection techniques. As AI-driven analysis tools become more prevalent, the time between a patch release and the development of functional exploits is shrinking rapidly. Proactive defense, rather than reactive patching, must become the standard for any organization that maintains a public-facing digital presence today.

Lessons for Future Security

Looking forward, the security community expects more rigorous auditing of core API endpoints to prevent similar interpretation conflicts. The wp2shell incident will likely serve as a case study in how complex chains of minor vulnerabilities can coalesce into a single, high-impact security catastrophe. Organizations that fail to maintain an accurate inventory of their software versions will continue to be the primary targets for such automated, high-speed exploitation attempts. Consistent vigilance and a commitment to rapid, verifiable deployment of security updates remain the best defenses for any entity operating on the modern, interconnected internet.

KEY TAKEAWAYS

WordPress deployed emergency updates for versions 7.0.2 and 6.9.5 to mitigate the impact of this unauthenticated remote code execution flaw.

Security researchers reported that the vulnerability can be triggered via the REST API batch endpoint at /wp-json/batch/v1 without any prior authentication.

How do you feel about this story?

Share This Story

Choose a platform to share this article