WordPress Core 'wp2shell' RCE flaws get public exploits, patch now
WordPress Core has been hit with critical 'wp2shell' remote code execution vulnerabilities, tracked as CVE-2026-63030 and CVE-2026-60137. Public exploits have been released, making it essential for administrators to patch their sites immediately.
Intelligence analysis by Llama

WordPress Core has been affected by critical remote code execution vulnerabilities, tracked as CVE-2026-63030 and CVE-2026-60137. Public exploits have been released, and administrators are urged to patch their sites immediately.
Imagine you have a super powerful tool that can do anything you want, but someone else can also use it to do bad things. That's what's happening with WordPress, a popular website builder. There's a big problem with it that can let someone do bad things without needing a password. We need to fix it as soon as possible to keep our websites safe.
Analysis
A Critical Vulnerability in WordPress Core
WordPress Core has been hit with critical 'wp2shell' remote code execution vulnerabilities, tracked as CVE-2026-63030 and CVE-2026-60137. These vulnerabilities can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x. The flaws were discovered by Adam Kues of Searchlight Cyber, which says an unauthenticated attacker can exploit them against a default WordPress installation. Searchlight Cyber estimates that more than 500 million websites use WordPress, giving the vulnerability a potentially massive impact, especially now that public proof-of-concept exploits have been released. Due to the severity of the vulnerabilities, the WordPress security team has enabled forced automatic security updates for supported installations running affected versions, urging site owners to update to WordPress 7.0.2 or 6.9.5 immediately.
The Impact of the Vulnerability
The issue is not a single vulnerability but rather two independent flaws that can be combined into an unauthenticated remote code execution chain. The first flaw, CVE-2026-63030, is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. According to the GitHub advisory, the flaw can be combined with the SQL injection issue to achieve remote code execution. The second vulnerability, CVE-2026-60137, is an SQL injection flaw in the 'author__not_in' parameter of 'WP_Query'. WordPress describes it as a high-severity SQL injection vulnerability affecting WordPress 6.8 and later.
Mitigations and Patches
For organizations unable to immediately update, Searchlight Cyber recommends installing a plugin that blocks anonymous access to the REST API entirely or blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level. The company warns these mitigations should only be used as a temporary measure until systems can be updated. Cloudflare also announced that it has deployed Web Application Firewall (WAF) protections for both vulnerabilities across all plans, including free accounts, that are proxied behind its platform.
Key points
- WordPress Core has been hit with critical 'wp2shell' remote code execution vulnerabilities, tracked as CVE-2026-63030 and CVE-2026-60137.
- Public exploits have been released, making it essential for administrators to patch their sites immediately.
- The flaws can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x.
- Searchlight Cyber estimates that more than 500 million websites use WordPress, giving the vulnerability a potentially massive impact.
- The WordPress security team has enabled forced automatic security updates for supported installations running affected versions.
If we patch WordPress quickly, we can prevent widespread exploitation of the 'wp2shell' vulnerabilities. This will help keep our websites safe and prevent potential damage.
If we don't patch WordPress quickly, we risk widespread exploitation of the 'wp2shell' vulnerabilities. This could lead to significant damage, including data breaches and website takeovers.
Market signals
- XAU Escalation drives safe-haven demand for gold, per the article's framing of investor reaction.
AI-generated analysis of potential market relevance. Not financial advice.



