Tech News

Critical wp2shell Flaw Exposes Millions of WordPress Sites

Some vulnerabilities cannot wait and must be treated as a top priority. The new critical flaw discovered in the WordPress core is one of them. It allows an anonymous attacker to execute remote code on a site without authentication. Dubbed wp2shell, this vulnerability affects versions 6.9 and 7.0 of the CMS. On July 17, 2026, WordPress released emergency fixes and enabled forced updates to protect the global web, with an estimated installed base of more than 500 million websites. Here is what we know.

A pre-authenticated RCE that requires no plugin

It was the Assetnote research team, the Searchlight Cyber branch specialized in attack surface management, that uncovered this vulnerability. Researcher Adam Kues reported it to WordPress through the vendor's HackerOne program before it was published under the codename wp2shell. Behind that name lies a vulnerability capable of shaking the web.

In practical terms, this is a remote code execution (RCE) issue that can be exploited without authentication. That means an attacker can run code on your WordPress server without logging in to an account: they only need to be able to visit your WordPress site. The entry point is the WordPress REST API, more precisely the endpoint responsible for batch processing located at /wp-json/batch/v1. However, to protect users, the researchers did not disclose technical details about this flaw (the report is here).

What is certain is that this vulnerability is in the WordPress core, so it is present on all default installations. No account, no specific configuration, and no third-party plugin are required for it to be exploitable.

As for the versions affected by this nasty flaw, here is the list:

  • Versions 6.9.0 to 6.9.4: affected.
  • Versions 7.0.0 to 7.0.1: affected.
  • Versions 6.8.5 and earlier: not affected.

In other words, the security flaw was introduced in WordPress version 6.9, released on December 2, 2025. So if you have updated your WordPress site since the beginning of 2025, or even simply installed WordPress, it may be vulnerable.

WordPress is forcing updates

On paper, 500 million websites are potentially vulnerable: that is the number of WordPress installations. The number of vulnerable instances is dropping minute by minute, since WordPress has enabled forced updates through its automatic update system. In other words, many sites have already installed the security patch automatically (I confirmed this on several instances).

Indeed, in response to this security flaw, WordPress released versions 7.0.2, 6.9.5, and 6.8.6 on July 17, 2026. If we look at the changelog for version 7.0.2, we can see that WordPress actually patched two separately reported issues.

  • wp2shell, the REST API route confusion leading to code execution, reported by Adam Kues (Searchlight Cyber).
  • A SQL injection reported separately by the team made up of TF1T, dtro, and haongo.

The 6.9 branch is affected by both vulnerabilities, hence the 6.9.5 fix, which corrects both. The same is true for the 7.0 branch. The 6.8 branch, on the other hand, is only affected by the SQL injection, fixed by version 6.8.6. It therefore escapes wp2shell.

Be careful, though, with the automatic update mechanism: nothing guarantees it will work every time, including on sites where all automatic updates are disabled. Do not assume the patch has been applied; check for yourself in the WordPress dashboard (it is shown in the bottom-right corner).

If an immediate update is not possible, several temporary measures are available:

  • Block at the WAF level both the path /wp-json/batch/v1 and the parameter ?rest_route=/batch/v1. Both must be blocked, because a rule covering only the base path leaves the second route open.
  • Install a plugin that blocks all anonymous access to the REST API (a good practice).

This latest incident is part of a busy run for the CMS core. Back in March, we already covered ten vulnerabilities fixed and three versions deployed in 48 hours on this same 6.9 branch. For further reading, our tutorial on auditing a WordPress site with WPScan will help you spot flaws and configuration issues.

Finally, note that Searchlight Cyber has published a public tool, wp2shell.com, which can be used to test whether an instance is vulnerable.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.