Security

WordPress 7.0.2 Patches wp2shell: Critical Pre-Auth RCE

Tracked under: CVE-2026-63030

WordPress released versions 7.0.2 and 6.9.5 on 17 July 2026, security releases addressing one critical and one high severity vulnerability in core.

The critical issue, dubbed wp2shell by the researchers who found it, is a pre-authentication remote code execution (RCE) vulnerability chaining a REST API batch request route confusion with SQL injection. It requires no login, no special configuration and no plugins: a default WordPress install is exploitable by an anonymous HTTP request. RCE is the most severe class of vulnerability there is. Successful exploitation hands an attacker control of the affected site.

The flaw was discovered by Adam Kues at Assetnote, part of Searchlight Cyber, and responsibly reported through WordPress’s HackerOne programme. A separate SQL injection issue was reported by TF1T, dtro and haongo. Both are fixed in this round of releases, and due to the severity WordPress.org has enabled forced automatic updates for sites running affected versions. Assetnote is withholding the full technical details for now, but has published a checker at wp2shell.com so site owners can test whether their install is vulnerable.

More detail is available in the Searchlight Cyber write-up, the official WordPress 7.0.2 release post and the Wordfence advisory.

Affected Versions: WordPress Core 6.9 – 7.0.1

Two version ranges are affected by the RCE:

  • WordPress 6.9.0 – 6.9.4, fixed in 6.9.5
  • WordPress 7.0.0 – 7.0.1, fixed in 7.0.2

WordPress 6.8 is affected by the separate SQL injection issue only, fixed in 6.8.6. Versions prior to 6.8 are not affected: the vulnerable code only exists from 6.9 onwards, which shipped in December 2025. The 7.1 beta carries the fix from beta2.

The REST API batch endpoint itself has been part of core since WordPress 5.6 and is available by default, so this is not a niche configuration issue. If your site is running an affected version, treat it as exposed until patched.

Preventive Measures

To protect your WordPress website from this and similar vulnerabilities, consider the following best practices:

  • Update immediately. Go to Dashboard → Updates and confirm you are on 7.0.2 (or 6.9.5 / 6.8.6 if you are deliberately holding on an older branch). With core RCE vulnerabilities, hours matter more than days.
  • Confirm automatic updates actually ran. WordPress.org has pushed forced updates, but it is unclear whether these reach sites with auto-updates disabled, and some hosting setups and version-controlled deployments block them entirely. Check the version you are actually running, or test your site with the wp2shell checker.
  • Keep everything else current. Plugins, themes and core files should be updated regularly. Most compromises exploit vulnerabilities that were patched weeks or months earlier.
  • Review your site if it sat unpatched. No exploitation has been reported at the time of writing, but with no CVE to tag, nobody is looking very hard yet. If an affected version was live for any length of time after disclosure, check for unfamiliar admin accounts and recently modified files, and review your access logs for unusual REST API activity.

If You Can’t Update Immediately

Updating is the fix. If something genuinely prevents that today, the researchers suggest keeping anonymous requests away from the batch endpoint as a stopgap:

  • Block the batch route at your firewall. Rules need to cover both /wp-json/batch/v1 and the query-string form ?rest_route=/batch/v1. Blocking only the pretty permalink path leaves the second route open.
  • Disable the REST API for anonymous users, for example with the Disable WP REST API plugin. Blunt but effective.
  • Use the researchers’ drop-in mitigation plugin, available from wp2shell.com, which rejects anonymous batch requests.

All three can break legitimate integrations that rely on the REST API, so treat them as temporary measures until the update is applied, not alternatives to it.

Conclusion

WordPress core has been patched. It is advised to update to version 7.0.2, or the backported 6.9.5 / 6.8.6 releases. If you’re on one of our maintenance or support plans – fear not! Your sites have already been updated.

If your site isn’t actively maintained, this is exactly the sort of vulnerability that makes the case for it. We’ve written before about how WordPress sites get hacked and what cleanup actually costs, and prevention is reliably the cheaper option.

For more information on WordPress security and steps to protect your site, feel free to reach out on our contact page or book a discovery call