What's Happening?
A significant security flaw in WordPress, known as wp2shell, has been identified, allowing unauthenticated attackers to execute code on WordPress sites. The flaw consists of two vulnerabilities: CVE-2026-63030, a REST API batch-route confusion, and CVE-2026-60137,
a SQL injection in WordPress core. These vulnerabilities can be exploited by an anonymous user to execute code on affected sites. WordPress has released updates 6.9.5 and 7.0.2 to address these issues, enabling forced updates through its auto-update system. The vulnerabilities affect versions 6.9 and 7.0, with the SQL injection going back to version 6.8. The flaw was discovered by Adam Kues at Assetnote and reported through WordPress's HackerOne program. The patch is now public, and a proof-of-concept has been published on GitHub.
Why It's Important?
This security flaw poses a significant risk to millions of websites running on WordPress, one of the most popular content management systems globally. The ability for attackers to execute code without authentication could lead to widespread exploitation, compromising sensitive data and potentially causing financial and reputational damage to businesses and individuals. The flaw highlights the importance of timely updates and security patches in open-source software. The incident underscores the need for robust security measures and the potential consequences of vulnerabilities in widely used platforms.
What's Next?
Website administrators are urged to update their WordPress installations immediately to mitigate the risk of exploitation. Security researchers and organizations will likely continue to monitor for any signs of mass exploitation. WordPress's version statistics will provide insights into how many sites have applied the patch. Meanwhile, security firms may develop additional protective measures, such as web application firewall rules, to block potential attacks. The incident may prompt further scrutiny of WordPress's security practices and encourage users to adopt more proactive security strategies.













