The flaw, dubbed “wp2shell” and tracked as CVE-2026-63030, affected WordPress 6.9.0 through 6.9.4 and versions 7.0.0 and 7.0.1. WordPress released versions 6.9.5 and 7.0.2 on July 17, urging administrators to install the patches immediately.
The vulnerability carried exceptional risk because an attacker did not require a valid account, administrator privileges or user interaction. A specially prepared anonymous request could exploit weaknesses in the WordPress REST API and potentially run arbitrary code on the underlying server.
Successful exploitation could give an intruder control over a website, its database and stored information. Attackers could alter pages, steal credentials, implant malicious software, redirect visitors or use compromised servers to launch further attacks.
WordPress activated forced updates through its automatic-update system because of the severity of the issue. Websites that support automatic background updates should receive the patched release, although administrators have been advised to verify the version installed rather than assume the process has completed successfully.
The vulnerability arose from confusion in the handling of REST API batch routes, combined with an SQL injection condition that could lead to remote code execution. The affected component allows multiple REST API requests to be processed together, improving efficiency for applications interacting with WordPress.
Security researcher Adam Kues, working with Assetnote and Searchlight Cyber, identified the flaw and reported it privately so that fixes could be prepared before technical details were made public. The issue was assigned a critical severity rating because exploitation was possible over a network with low complexity and without authentication.
A stock WordPress installation could be vulnerable even when no third-party themes or plugins were installed. That characteristic distinguishes wp2shell from many widespread WordPress compromises, which commonly exploit poorly maintained extensions rather than the platform’s core software.
WordPress 6.9 was affected by both the critical remote-code-execution vulnerability and a separate high-severity SQL injection flaw, tracked as CVE-2026-60137. Version 6.9.5 contains fixes for both issues. WordPress 6.8 was affected only by the separate SQL injection problem and has been patched through version 6.8.6.
Versions released before WordPress 6.8 are not affected by either of the newly disclosed vulnerabilities. However, operators using older branches still face security risks arising from unsupported software and previously disclosed flaws. WordPress maintains that only its newest release receives full active support.
The beta version of WordPress 7.1 was also affected. Developers and testing teams using that branch have been directed to move to WordPress 7.1 Beta 2, which includes the required fixes. Production websites are not supposed to run beta software.
The update modifies three core files connected to REST API processing and database queries: class-wp-rest-server. php, class-wp-query. php and rest-api. php. No WordPress packages were revised as part of the security release.
WordPress is used across a vast range of websites, from personal blogs and small businesses to news platforms, online shops and government portals. Estimates place its global footprint at hundreds of millions of sites, magnifying the potential impact of a core vulnerability that can be exploited without credentials.
Website owners should confirm that their installations now show WordPress 7.0.2, 6.9.5 or another unaffected version. Administrators running the 6.8 branch should upgrade to at least 6.8.6 because of the accompanying SQL injection fix.
Operators unable to update automatically can install the release through the Dashboard’s Updates section. Managed hosting customers should verify whether their provider has applied the patch, particularly when update controls are handled centrally.
Security teams have also advised administrators to examine server access logs, unexpected administrator accounts, unfamiliar scheduled tasks and changes to core files. Unexplained redirects, injected scripts or newly created PHP files may indicate compromise.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.