"Searchlight Cyber's security research team has discovered a pre-authentication RCE in WordPress Core," Searchlight Cyber said, bluntly framing the urgency for site operators.
CVE-2026-63030 and CVE-2026-60137: the technical chain
The vulnerability complex dubbed "wp2shell" is not a single bug but two separate flaws that can be chained to achieve remote code execution (RCE) on stock WordPress installations. The first, CVE-2026-63030, is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. The second, CVE-2026-60137, is a high-severity SQL injection affecting the 'author__not_in' parameter of WP_Query. When combined, these flaws enable a pre-authentication RCE against WordPress Core on affected releases.
Versions affected and the scope of impact
According to WordPress advisories, the full RCE chain affects WordPress 6.9.0 through 6.9.4 and WordPress 7.0.0 through 7.0.1. The SQL injection component (CVE-2026-60137) also affects WordPress 6.8.0 through 6.8.5, but those earlier 6.8 releases cannot be chained to achieve RCE because the REST API batch-route confusion bug was added in 6.9. Searchlight Cyber — which reported the flaws after discovery by Adam Kues — says an unauthenticated attacker can exploit them against a default WordPress installation: "The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins."
Immediate vendor responses: forced updates and public testing
WordPress moved quickly: because of the severity, the WordPress.org team enabled forced automatic security updates for supported installations running affected versions and urged site owners to update to WordPress 7.0.2 or 6.9.5 immediately. "Because this is a security release, it is recommended that you update your sites immediately," WordPress said in its security announcement. Searchlight Cyber withheld detailed technical disclosure initially to give administrators time to patch and published a testing resource at wp2shell.com so operators can determine whether a site is vulnerable.
Mitigations and third-party protections: Searchlight recommendations and Cloudflare
For organizations unable to update immediately, Searchlight Cyber recommended two temporary mitigations: installing a plugin that blocks anonymous access to the REST API entirely, or blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level. The company warned those measures are temporary and should be used only until systems are updated. Cloudflare announced it had deployed Web Application Firewall (WAF) protections for both vulnerabilities across all plans, including free accounts, for sites proxied behind its platform, and said the rules block attempts to exploit both CVE-2026-60137 and CVE-2026-63030. "WAF protections reduce exposure while customers update, but they are not a substitute for patching," Cloudflare said.
Public proofs, reported exploitation, and observed attack patterns
Searchlight's delay in releasing technical details was temporary: multiple public proof-of-concept (PoC) exploits have since been published on GitHub. Some publicly available exploits chain the two vulnerabilities to extract WordPress password hashes via SQL injection, then crack an administrator password to log in, upload a malicious plugin, and execute commands. Other PoCs claim to achieve pre-authentication remote code execution without requiring administrator credentials, aligning with Searchlight Cyber's original description. BleepingComputer contacted Searchlight Cyber to confirm whether its attack chain requires an administrator password. Security firm watchTowr reported it has "already seen in-the-wild exploitation after the public exploits were released," and its CEO Benjamin Harris warned the combination of an unauthenticated SQL injection or RCE in WordPress Core is "exactly what makes this one different, and why everyone is scrambling to patch before widespread exploitation takes hold."
What this means for site administrators, security teams, and WAF providers
- Site administrators: update immediately to WordPress 7.0.2 or 6.9.5. If you cannot update at once, implement temporary mitigations — block /wp-json/batch/v1 and ?rest_route=/batch/v1 at the edge or install a plugin to block anonymous REST API access — and use wp2shell.com to test vulnerability status.
- Security teams and incident responders: anticipate attempts that use published PoCs to extract password hashes, crack credentials, and upload malicious plugins; prioritize detection and rapid remediation for sites running the affected releases.
- WAF providers and CDN operators: consider deploying rules that block exploit attempts for both CVE-2026-60137 and CVE-2026-63030, while communicating clearly that WAF coverage is a stopgap and patching remains essential.
Searchlight Cyber estimates that more than 500 million websites use WordPress, and with public PoCs available and reported in-the-wild exploitation, the window for opportunistic attacks is open. The practical outcome is straightforward: apply the fixes (WordPress 6.9.5 or 7.0.2), test known endpoints with tools such as wp2shell.com, and treat any edge protections as temporary until sites are patched. For administrators who delay, the combination of pre-authentication SQLi and REST API confusion presents a direct and verifiable path to full site compromise.
Source: BleepingComputer — WordPress Core "wp2shell" RCE flaws get public exploits, patch now




