"a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution," WordPress wrote in its release notes on July 17, 2026.
WordPress shipped fixes on July 17, 2026: 6.9.5 and 7.0.2
On July 17, 2026, WordPress released versions 6.9.5 and 7.0.2 to close a pre-auth remote code execution (RCE) vulnerability in core that an anonymous HTTP request can trigger. The updates enable what WordPress calls forced updates through its auto-update system. The vendor also published a 7.1 beta2 carrying the same fix.
The technical fault: a REST API batch-route confusion plus SQL injection
Adam Kues at Assetnote — the attack-surface arm of Searchlight Cyber — reported the flaw to WordPress through HackerOne and named the finding "wp2shell." WordPress describes the issue as a "REST API batch-route confusion and SQL injection issue leading to Remote Code Execution." The affected code paths span three files listed on the version page: /wp-includes/rest-api/class-wp-rest-server.php, /wp-includes/class-wp-query.php, and /wp-includes/rest-api.php.
Which releases were affected, and how to track exposure
- WordPress identified two affected ranges: 6.9.0 through 6.9.4 (fixed in 6.9.5) and 7.0.0 through 7.0.1 (fixed in 7.0.2).
- The problematic batch endpoint has been shipped since WordPress 5.6 (November 2020) and its request format documented publicly, but WordPress has not explained what changed in 6.9 to introduce the flaw.
- Searchlight estimates the total WordPress install base exceeds 500 million sites; that figure is the total install base, not the vulnerable population. The flawed code exists only from 6.9 onward, and 6.9 first shipped on December 2, 2025—so all affected sites are running releases less than eight months old.
- Neither advisory carries a CVE identifier or a CVSS score, and by July 18 no CVE record had appeared. As a result, CVE-keyed scanners and inventories will not flag this by CVE; defenders must track exposure by version number instead. CISA requires a CVE before it can add issues to the Known Exploited Vulnerabilities (KEV) catalog.
Mitigations if you cannot update immediately
Searchlight published three stopgap mitigations that all aim to stop anonymous callers from reaching the batch endpoint; each can break legitimate integrations:
- At a WAF, block both /wp-json/batch/v1 and rest_route=/batch/v1. Searchlight is explicit that both paths must be blocked because a rule that only covers the /wp-json path leaves the query-string route open.
- Disable the WP REST API entirely, which kills unauthenticated REST access wholesale.
- Install a short drop-in plugin that publishes and rejects anonymous /batch/v1 requests at the rest_pre_dispatch hook.
Searchlight also posted a non-technical checker at wp2shell.com so owners can test their own instances. There were no exploitation attempts reported as of July 18, 2026, and without a CVE or public signature, broad detection is unlikely until traffic patterns change.
What this means for technologists, enterprise owners, and defenders
- Technologists and security teams: Track installed WordPress versions rather than rely on CVE feeds; confirm whether forced updates reached your instances and prioritize immediate upgrades to 6.9.5, 7.0.2, or 7.1 beta2 where appropriate. If you cannot patch, apply one of the three mitigations but expect potential breakage of integrations.
- Affected enterprises and site owners: Check version pages and WordPress's auto-update state—WordPress has not said whether the forced push reaches sites that have auto-updates turned off. Use the wp2shell.com checker if you prefer not to run comparisons yourself, and be aware that lack of a CVE means inventory tooling may miss this issue.
- Defenders monitoring traffic: Watch for spikes against the batch/v1 endpoint; WordPress noted that traffic against batch/v1 will reveal when attackers arrive, and WordPress's own version statistics will show whether the patch reached sites before exploitation begins.
Open-source distribution creates a hard choice: the fix and the map to the bug travel together. WordPress pushed the patch on July 17, 2026; the remaining question is whether version rollout and site updates will outrun an exploit that requires only an anonymous HTTP request. For now, defenders must watch batch/v1 traffic, verify versions directly, and use the temporary mitigations described above.




