```html ``` WordPress Shipped an Emergency Patch on a Friday for a Pre-Auth RCE in Its Own Core. It's Called wp2shell, It Needs No Login, and the Weekend Is the Exploit Window.
top of page

WordPress Shipped an Emergency Patch on a Friday for a Pre-Auth RCE in Its Own Core. It's Called wp2shell, It Needs No Login, and the Weekend Is the Exploit Window.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 36 minutes ago
  • 3 min read

WordPress pushed emergency releases today, version 7.0.2 and 6.9.5, to close a pre-authentication remote code execution vulnerability in core. Researchers at Searchlight Cyber named it wp2shell, and it is tracked as CVE-2026-63030. No login, no plugins, no special configuration. A default WordPress install answers an anonymous HTTP request and runs the attacker's code. It shipped on a Friday, which is the part that should decide how you spend the next hour.



What wp2shell actually is


The flaw is a chain, and the chain is what makes it ugly. WordPress core has shipped a REST API batch endpoint at /wp-json/batch/v1 since version 5.6 back in 2020. It is on by default, reachable without authentication, and does not even need pretty permalinks turned on. The bug is a route-confusion issue in how that batch endpoint dispatches requests, and routed through it, a SQL injection escalates into full remote code execution on WordPress 6.9 and later. So an anonymous request to an endpoint that has been quietly present in every install for five years turns into a shell.


The affected versions are 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. If you are on 6.8.5 or earlier you are not affected by this one. The fixes are 7.0.2 and 6.9.5, both out today.



Why the calendar matters more than the CVSS


The patch is public, which means the fix is also a map. Security researchers and attackers alike can diff the change, see exactly what was broken, and build a working exploit from the patch itself, often within hours. That race always runs after a disclosure. What makes this one worse is the day it started. A Friday-afternoon patch for an anonymous core RCE hands attackers a full weekend of a thinly-staffed internet, and the population running WordPress is not the population with a weekend on-call rotation. It is the bakery, the physical therapist, the volunteer-run nonprofit, the one-person marketing shop. Those sites do not have someone watching a dashboard on Saturday. They have a site that either updated itself or did not.



The honest mitigating detail


We are not going to run the scary number without the caveat, because the caveat is real. WordPress applies minor security releases automatically by default, and has since 2013. A large share of vulnerable sites will pull 6.9.5 or 7.0.2 on their own over the coming hours with nobody lifting a finger, and that is the system working. The exposure lives in the sites where automatic updates were turned off, which is common precisely on the larger, more valuable, more customized installs where an admin disabled auto-update years ago to protect a fragile theme or plugin stack. Those are the ones an attacker most wants and the ones least likely to fix themselves this weekend. The blast radius is enormous and the self-healing is also real. Both things are true.



What to do before you close the laptop


If you run WordPress, confirm you are on 7.0.2 or 6.9.5 right now. Do not assume auto-update handled it, verify it in the admin dashboard, because the sites that most need the fix are exactly the ones where auto-update was disabled. If you cannot update immediately, block or restrict access to the /wp-json/batch/v1 endpoint at your web application firewall or reverse proxy, since a bug reachable only over the network is bounded by what can reach it. Then check your access logs for requests to that batch endpoint over the last few days, because a hit before you patched is worth treating as a compromise and hunting accordingly.


We cap our confidence at 95 percent. WordPress and Searchlight have confirmed the flaw and the fix. What nobody can give you yet is the count of sites that get shelled between this Friday release and the Monday when their owners next log in, and given who runs WordPress and how weekends work, that number is going to be larger than anyone wants to admit. Patch yours tonight and you are not in it.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page