'wp2shell' WordPress Core Unauthenticated RCE Patched in 6.9.5 and 7.0.2 (CVE-2026-63030)

An unauthenticated remote-code-execution flaw in WordPress Core, disclosed as wp2shell, affects the 6.9 and 7.0 branches. Fixes shipped July 17 in 6.9.5 and 7.0.2 — defender teams and hosting providers should verify patch status rather than assume forced updates landed.

Share
Editorial illustration of a website building block with an open back door and a blueprint beside it, marking the wp2shell WordPress Core unauthenticated RCE.

Key Takeaways

  • A GitHub Security Advisory published July 17, 2026 disclosed CVE-2026-63030 — publicly referred to as "wp2shell" — a critical unauthenticated remote code execution (RCE) vulnerability in WordPress Core reachable via the REST API batch endpoint, with no valid account and no user interaction required.
  • The flaw affects WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1; fixes shipped the same day in 6.9.5, 7.0.2, and 7.1 Beta 2, and WordPress says it is forcing updates to installations that have automatic updates enabled.
  • Technical exploit details were withheld at disclosure and no public proof-of-concept had been confirmed as of publication — but Rapid7 assesses one is highly likely to appear shortly, which makes per-site patch verification, not assumed auto-update coverage, the defender action this weekend.

A pre-authentication flaw in WordPress Core itself — not a plugin — turns patch verification into the weekend's highest-value defender task for agencies and hosting providers.

SAN FRANCISCO, CALIF. — A GitHub Security Advisory published July 17, 2026 disclosed CVE-2026-63030, a critical unauthenticated remote code execution (RCE) vulnerability in WordPress Core that researchers and vendors refer to as "wp2shell." Rapid7, publishing an emergent threat response the same day, said the flaw lets an unauthenticated attacker execute code by way of the WordPress REST API batch endpoint, potentially resulting in complete compromise of the website and its underlying data, with no valid account and no user interaction required. Scope is the distinguishing detail: the defect is in WordPress Core, not a plugin, so a default installation with no add-ons falls inside the affected population.

Searchlight Cyber, whose research team identified the issue, said in its disclosure writeup that the attack "has no preconditions and can be exploited by an anonymous user" against a stock install. The advisory lists 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 as affected, with fixes in 6.9.5, 7.0.2, and 7.1 Beta 2. WordPress maintainers said in the 7.0.2 release announcement that they are forcing updates for installations with automatic updates enabled. Releases at or below 6.8.5 are not affected.

At a Glance
FieldDetails
CVECVE-2026-63030, publicly referred to as "wp2shell"
Affected softwareWordPress Core — a default install with no plugins is in scope
Affected versions6.9.0 through 6.9.4; 7.0.0 through 7.0.1. Releases at or below 6.8.5 are not affected
Fixed versions6.9.5, 7.0.2, and 7.1 Beta 2, released July 17, 2026
Vulnerability classUnauthenticated remote code execution (RCE) reachable via the REST API batch endpoint
SeverityGitHub Security Advisory classifies the severity as Critical; the CVE currently carries a CVSS score of 7.5 (see the discrepancy section below)
DisclosureGitHub Security Advisory published July 17, 2026; discovered by Searchlight Cyber's research team
Exploitation statusNo publicly confirmed in-the-wild exploitation reported at the time of writing
Public exploit codeTechnical details withheld by the researchers; no public proof-of-concept confirmed as of publication
CISA KEV statusNot confirmed as added to the Known Exploited Vulnerabilities catalog (see Open Questions)

What the GitHub Advisory Disclosed

The GitHub Security Advisory for CVE-2026-63030 establishes what defenders need to triage the issue, and little more: an unauthenticated remote code execution flaw in WordPress Core affecting 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1, fixed in 6.9.5 and 7.0.2, with the fix also carried in 7.1 Beta 2.

On the vulnerability class, the published record stops at the affected component rather than the mechanics. Rapid7 places the flaw at the WordPress REST API batch endpoint. Cloudflare reported that the vulnerable code path can be reached when a persistent object cache is not in use — relevant to judging which sites sit in the higher-risk band, but not a mitigation and not to be treated as one. The CyberSignal is not reconstructing the request shape or the exploitation sequence beyond what the advisories chose to publish; the operationally useful facts are the affected and fixed versions.

The Proof-of-Concept Question and What It Means for Defender Teams

Searchlight Cyber withheld technical exploit details at disclosure, saying it did so given the severity of the bug and to give defenders time to patch. Rapid7 confirmed those details had not been published as of the evening of July 17, and said it was not aware of publicly confirmed in-the-wild exploitation. In place of a teardown, Searchlight published a checker at wp2shell.com so operators can test their own instance.

That restraint is real, but Rapid7's assessment is that it buys days rather than weeks: because WordPress Core is open source, and given the current ability of AI models to analyse open-source code, Rapid7 Labs said it believes a public proof-of-concept is highly likely in a short period. Shipping a fix to an open-source codebase also ships a diff. Searchlight's own record illustrates the timeline — the firm turned a public Drupal core fix into a same-day teardown when it published on CVE-2026-9082 in Drupal core. The practical read: the absence of a public exploit today is a patch window already closing, not evidence of low risk.

Defender Posture Across WordPress Deployments

The remediation instruction is short: update to 6.9.5, 7.0.2, or another fixed release for the branch. Rapid7 explicitly does not recommend workarounds. What turns that into real work is verification. WordPress says it is forcing updates to installations with automatic updates enabled — but that phrasing carries a condition, and neither advisory establishes whether the push reaches sites where auto-updates were switched off. Administrators should confirm each internet-facing site actually landed on a fixed version rather than assume it arrived. This is the difference between patch availability and patch verification that recurs in nearly every CMS incident.

The population that has to do this work is broader than a security team. Digital agencies running hundreds of client sites, hosting providers with fleets in the thousands, and marketing teams operating campaign microsites all hold assets inside the affected range, and those assets rarely sit in a central inventory. The task is a version query: enumerate every instance under management, identify anything on 6.9.0 through 6.9.4 or 7.0.0 through 7.0.1, and confirm the fixed version is running rather than queued. Where a site cannot be updated immediately, Searchlight's emergency measures centre on blocking anonymous access to the batch API at a WAF or disabling unauthenticated REST access — both, in the firm's own words, stopgaps that may break legitimate functionality.

The Severity Discrepancy: "Critical" Classification Versus CVSS 7.5

There is an unresolved inconsistency in how CVE-2026-63030 is rated. Rapid7 notes that while the official GitHub Security Advisory classifies the severity as Critical, the vulnerability has currently been assigned a CVSS score of 7.5 — which falls in the High band, not Critical. Both figures come from the primary record; neither is a reporting error, and The CyberSignal is not picking one.

The gap matters because many organisations drive patch SLAs off the numeric score. A programme that escalates at CVSS 9.0 and above will not treat a 7.5 as an emergency. Against that, the qualitative picture — unauthenticated, no user interaction, code execution, in the core of the most widely deployed CMS on the web — is what drove the Critical classification and Rapid7's instruction to patch urgently. Where score and classification disagree this sharply, the defensible posture is to prioritise on attack characteristics and treat the score as a lagging artefact that may yet be revised.

Continuation Context: The CMS Security Thread

This disclosure lands in a sustained run of content-management-system exploitation The CyberSignal has tracked through July. Days earlier, iCagenda and Balbooa Forms Joomla extension flaws were reportedly exploited as zero-days, following CISA's earlier addition of a Joomla JCE component flaw to its Known Exploited Vulnerabilities catalog. On the WordPress side, the Gravity SMTP plugin API-key exposure and the Ghost CMS SQL-injection flaw abused in a ClickFix campaign across roughly 700 sites both featured in the same window, and Australia's Cyber Security Centre issued a mid-July advisory on a large-scale global campaign against CMS platforms and their plugins.

What separates wp2shell from the rest of that thread is the layer it sits on. Those items are extension- and plugin-level issues — real, but bounded by whoever installed the component. CVE-2026-63030 is in WordPress Core, so the exposure question is not "what did we install" but "what version are we on." Set against the 2026 Verizon DBIR finding that vulnerability exploitation has overtaken credential theft as the leading initial-access method, a core-level unauthenticated RCE in the web's most-deployed CMS is precisely the shape of flaw that finding describes.

Open Questions

Several material points remain unestablished. Whether CVE-2026-63030 is being exploited in the wild is not confirmed: Rapid7 was not aware of publicly confirmed in-the-wild exploitation at the time of its writeup, and no exploitation attempt had been reported in the following day's coverage. Whether the flaw will be added to CISA's Known Exploited Vulnerabilities catalog is likewise unconfirmed, and a KEV listing would carry federal remediation deadlines that do not currently apply. The number of exposed installations is not established; Searchlight's estimate that over 500 million websites run WordPress is the total install base, not the vulnerable population, and the affected code exists only from 6.9 onward.

The severity rating should be treated as provisional — the CVSS 7.5 is the score currently assigned, and scores are routinely revised. And whether the forced-update mechanism reaches installations that have disabled automatic updates has not been stated by WordPress, which is precisely why per-site version verification is the recommended action rather than trusting the push.


The CyberSignal Analysis

The facts above come from the advisories and the reporting. What follows is The CyberSignal's editorial reading of what WordPress operators should take from this disclosure; none of it introduces new reported facts.

Signal 01 — Core-Level Scope Removes the Usual Triage Filter

Almost every WordPress security story of the past two years has been a plugin story, and defenders have built their reflexes accordingly: check the plugin inventory, filter to the affected component, patch the subset. CVE-2026-63030 defeats that reflex, because the vulnerable code is in WordPress Core and a stock install with no plugins is in scope. Our reading is that this changes what a credible answer looks like. "We don't run that plugin" is not available here; the only sufficient answer is a version number per site — and the sites least likely to be on that list are the forgotten campaign microsites nobody treats as production infrastructure.

Signal 02 — Withheld Details Are a Patch Window, Not Protection

Searchlight Cyber's decision to hold technical details and publish a self-check tool instead is responsible disclosure working as intended. But Rapid7's assessment that a public proof-of-concept is highly likely in a short period is the operative planning assumption, and the reasoning is structural rather than speculative: an open-source project cannot ship a fix without also shipping the map to the bug. Our view is that defenders should treat the quiet period as a countdown of unknown but short duration, and resist scheduling this into the next maintenance window on the grounds that nothing is being exploited yet.

Signal 03 — When Score and Classification Disagree, Trust the Attack Characteristics

The Critical-versus-7.5 split is a live demonstration of a weakness in score-driven patch management. A programme that escalates strictly on CVSS thresholds will route an unauthenticated, no-interaction, code-execution flaw in the world's most widely deployed CMS into a routine queue, because the number says 7.5. Our assessment is that this is the wrong outcome, and the discrepancy should be escalated as an exception rather than silently obeyed. The watch item is whether the score for CVE-2026-63030 is revised upward in the coming days, and whether a KEV listing follows.


Sources

TypeSource
PrimaryRapid7 — CVE-2026-63030: wp2shell a Critical Remote Code Execution Vulnerability in WordPress Core
PrimarySearchlight Cyber — wp2shell: Pre Authentication RCE in WordPress Core
PrimaryGitHub Security Advisory — GHSA-ff9f-jf42-662q (CVE-2026-63030)
PrimaryWordPress.org — WordPress 7.0.2 Release Announcement
ReportingThe Hacker News — New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
RelatedThe CyberSignal — iCagenda and Balbooa Forms Joomla Zero-Days Reportedly Exploited in the Wild
RelatedThe CyberSignal — Drupal Core CVE-2026-9082 Anonymous SQL Injection
RelatedThe CyberSignal — ACSC Warns of Global CMS Exploitation Campaign