Public exploits are now available for two critical WordPress flaws that attackers can chain to gain remote code execution without authentication.
Public proof-of-concept exploits are now available for the critical wp2shell vulnerabilities affecting WordPress Core. The flaws, tracked as CVE-2026-63030 and CVE-2026-60137, can be chained to achieve pre-authentication remote code execution on default WordPress installations running versions 6.9.x and 7.0.x.
CVE-2026-63030 is a REST API batch-route confusion bug introduced in WordPress 6.9. CVE-2026-60137 is a high-severity SQL injection flaw in the author__not_in parameter of WP_Query, affecting.
“The 7.0.2 security release addresses one critical and one high severity security issue.” reads the WordPress announcement.
“Because this is a security release, it is recommended that you update your sites immediately. Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions.”
Cybersecurity researchers at Searchlight Cyber discovered the flaws that can allow remote attackers to compromise vulnerable sites without valid credentials, making immediate patching essential.
“Searchlight Cyber’s security research team has discovered a pre-authentication RCE in WordPress Core. The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.” reads the advisory. “It is estimated that over 500 million websites use WordPress.”
Researchers withheld technical details to give organizations time to patch, but released an online tool to help administrators check whether their WordPress instances are vulnerable.
Searchlight Cyber’s security research team estimated that over 500 million websites use WordPress. They are releasing a checker so admins can determine whether their instance is vulnerable.
WordPress has enabled forced automatic security updates for affected supported versions because of the severity of the flaws. The full RCE exploit chain affects WordPress versions 6.9.0–6.9.4 and 7.0.0–7.0.1, according to WordPress security advisories.
Site owners should update immediately to WordPress 7.0.2 or 6.9.5, which prevent the exploitation of the wp2shell attack chain.
If patching is not possible, administrators can temporarily reduce risk by blocking anonymous access to the REST API batch endpoint through a security plugin or WAF rules targeting /wp-json/batch/v1 and ?rest_route=/batch/v1.
Searchlight states that these measures are only temporary and may affect legitimate site functions, so updating remains the preferred solution.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
