Emergency Patch Rolled Out After wp2shell RCE Threat Targets WordPress

A critical, pre-authentication remote code execution flaw named wp2shell in WordPress Core affects roughly 500 million+ sites. It stems from a REST API batch-route confusion that enables unauthenticated attackers to execute code on vulnerable WordPress installations. The issue affects WordPress core versions 6.9.0–6.9.4, 7.0.0–7.0.1 (and 7.1 beta); fixes have been shipped in WordPress 7.0.2 with backports to 6.8.6 and 6.9.5. WordPress is auto-updating affected sites, and admins should update immediately. If patching isn’t possible yet, block anonymous REST API access or the batch endpoints as temporary mitigations and use the wp2shell.com scanner to check exposure.
- New wp2shell RCE Vulnerability Hits Millions of WordPress Sites, Emergency Patch Released CyberSecurityNews
- Cloudflare WAF protects WordPress applications from two high-severity vulnerabilities The Cloudflare Blog
- New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code The Hacker News
- CVE-2026-63030: wp2shell a Critical Remote Code Execution Vulnerability in WordPress Core Rapid7
- Unauthenticated RCE Vulnerability in WordPress core (wp2shell), via SQL injection. Patch the vulnerability now! Aikido Security
Reading Insights
0
11
24 min
vs 25 min read
98%
4,805 → 95 words
Want the full story? Read the original article
Read on CyberSecurityNews