Cybersecurity

WordPress Core Vulnerability Exposes Sites to Code Execution

A critical vulnerability in WordPress core, dubbed 'wp2shell,' allows unauthenticated attackers to execute arbitrary code on affected websites. WordPress released patches 6.9.5 and 7.0.2 on July 17, 2026, to address the flaw.

Joshua Ramos
Joshua Ramos covers cybersecurity for Techawave.
3 min read0 views
WordPress Core Vulnerability Exposes Sites to Code Execution
Share

A serious security flaw discovered in the core of the WordPress content management system has been patched, according to an advisory released by WordPress on July 17, 2026. The vulnerability, identified as "wp2shell," allows attackers to execute arbitrary code on vulnerable websites without needing any prior authentication. This means a simple, anonymous HTTP request could compromise a site running an affected version of WordPress.

The bug impacts versions 6.9.0 through 6.9.4, which have been updated to version 6.9.5, and versions 7.0.0 through 7.0.1, which have been patched with version 7.0.2. WordPress implemented forced updates for these releases through its auto-update system, aiming to protect the vast majority of its user base. The discovery was made by Adam Kues from Assetnote, the attack surface management division of Searchlight Cyber, who reported the issue via WordPress's HackerOne bug bounty program.

The wp2shell vulnerability is particularly concerning because it resides in the core of WordPress, meaning a clean installation with no plugins is susceptible. "The attack has no preconditions and can be exploited by an anonymous user," stated the initial write-up from Assetnote. The firm is currently withholding full technical details but has provided a diagnostic tool on wp2shell.com for website owners to check their own systems.

Understanding the Technical Details and Impact

WordPress's release notes describe the flaw as a "REST API batch-route confusion and SQL injection issue leading to Remote Code Execution." The update addresses one critical and one high-severity vulnerability. The affected code is present in WordPress releases starting from version 6.9, which was launched on December 2, 2025. This means any site running a version less than eight months old could be at risk if not updated. While WordPress has not explicitly stated whether the forced update mechanism extends to sites that have disabled automatic updates, it is strongly recommended that users manually verify their WordPress version.

The REST API batch endpoint, which is implicated in the vulnerability, has been part of WordPress since version 5.6, released in November 2020. The exact change in version 6.9 that introduced the flaw remains unclarified in the advisories. Notably, neither the WordPress advisories nor any public CVE (Common Vulnerabilities and Exposures) records issued as of July 18, 2026, provide a CVE ID or a CVSS score for this specific vulnerability. This lack of formal identification may hinder automated scanning tools and security watchlists like CISA's KEV catalog.

The estimated number of WordPress websites globally is substantial, with Searchlight Cyber estimating over 500 million installations. However, only those running the affected versions 6.9.x and 7.0.x are vulnerable. Given the release date of version 6.9, the potentially vulnerable population is limited to sites updated within the last eight months.

For administrators unable to update immediately, temporary mitigation strategies include blocking access to the `/wp-json/batch/v1` endpoint and `rest_route=/batch/v1` at a Web Application Firewall (WAF). Disabling the WP REST API entirely is another option, though this can disrupt legitimate integrations. A temporary plugin can also reject anonymous requests to the batch endpoint. These are considered stopgap measures until a full update can be applied.

As of July 18, 2026, there have been no reported exploitation attempts in the wild. The delay in public technical disclosure and the lack of a CVE ID mean that widespread scanning or exploitation has not yet begun. However, the history of WordPress exploitation demonstrates the rapid pace at which vulnerabilities are weaponized. For instance, a previous caching plugin flaw led to the compromise of over 17,000 sites. The open-source nature of WordPress means that the code for the patches is publicly available, allowing security researchers to identify the vulnerability even without official details. The race is now on to ensure that the WordPress security patches reach a majority of sites before malicious actors can leverage the discovered flaw.

Share