WordPress administrators should check their core version after an emergency July 17 security release fixed wp2shell, a WordPress Core remote code execution chain tied to the REST API batch endpoint and SQL injection. WordPress says the 7.0.2 release addresses one critical and one high-severity security issue and that forced updates were enabled for affected versions through the auto-update system.[1]
The main RCE issue is tracked as CVE-2026-63030. The WordPress GitHub advisory says WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 are affected, with fixes in 6.9.5 and 7.0.2.[2] A related SQL injection flaw, CVE-2026-60137, also affects 6.8.0 through 6.8.5 and is patched in 6.8.6, 6.9.5, and 7.0.2.[3]
That version split matters. A WordPress 6.8 site is not in the same RCE scope described for 6.9 and 7.0, but it can still need the SQL injection backport. A 6.9 or 7.0 site needs the branch-specific security release, not a generic reassurance that automatic updates are usually enabled.
Who is affected and what to check
Searchlight Cyber, whose Assetnote team reported the RCE issue to WordPress, describes wp2shell as a pre-authentication vulnerability with no plugin requirement and no special configuration requirement: an anonymous user can target a stock WordPress install if it is running an affected version.[4] The company is withholding technical exploit details for now and has published a checker for site owners, but the safer operational habit is still to confirm the patched version directly in the WordPress dashboard, via WP-CLI, or through your hosting panel.
For most site owners, the immediate checklist is short: confirm WordPress 7.0.2 if you are on the 7.0 branch, confirm 6.9.5 if you are still on 6.9, or confirm 6.8.6 if you remain on 6.8 for compatibility reasons. Then verify that backups, WAF rules, and file-integrity monitoring are working. If a managed host says it applied forced updates, check the actual core version anyway.
Teams that cannot update immediately should treat mitigations as temporary risk reduction, not a replacement for patching. Searchlight recommends blocking anonymous access to the batch API, including both the pretty REST path and the query-string route form, or disabling unauthenticated REST API access until the update can be installed.[4] Those controls can break legitimate REST-based integrations, so test publishing workflows, form plugins, mobile apps, commerce flows, and site builders after applying them.
Because the chain reaches WordPress Core, it should be handled separately from normal plugin hygiene. If you recently reviewed plugin compromise cases such as backdoored WordPress plugins, do not assume those checks cover this release. Core, plugins, themes, and custom code all have different update paths.
After patching, review evidence of possible pre-update activity. Look for unexpected administrator accounts, modified theme or plugin PHP files, unfamiliar scheduled tasks, suspicious files under wp-content/uploads, and unusual unauthenticated REST requests. Wordfence rates the RCE issue as critical and says the route/validation desynchronization can be chained with SQL injection to make server-side code execution possible.[5] If you find signs of compromise, preserve logs, isolate the instance, rotate WordPress salts and credentials, and inspect the database before returning the site to normal operation.
The wider lesson is the same one behind recent CMS webshell cleanup alerts and core SQL injection incidents: the dangerous window is the gap between disclosure, patch availability, and real confirmation on production. For wp2shell, close that window by version number first.
References
- WordPress.org: WordPress 7.0.2 Release, July 17, 2026.
- WordPress GitHub Advisory GHSA-ff9f-jf42-662q, REST API batch-route confusion and SQL injection issue leading to RCE.
- WordPress GitHub Advisory GHSA-fpp7-x2x2-2mjf, facilitated SQL injection in
WP_Query. - Searchlight Cyber / Assetnote advisory: wp2shell, July 17, 2026.
- Wordfence PSA: WordPress Core patched unauthenticated RCE vulnerability chain, July 17, 2026.
Leave a Comment