Back to Blog

Emerging Threat: (CVE-2026-63030, CVE-2026-60137) WordPress Core Unauthenticated RCE via wp2shell

Sample of assets impacted by the wp2shell vulnerability chain, identified by the CyCognito Platform

What is wp2shell (CVE-2026-63030 and CVE-2026-60137)?

wp2shell is the name given to an unauthenticated remote code execution attack against WordPress core. It is not a single bug. It is a chain of two separately tracked flaws that, combined, let an anonymous attacker run code on a default WordPress installation with no plugins, no valid account, and no user interaction.

The first flaw, CVE-2026-63030, is a REST API batch-route confusion issue in WP_REST_Server::serve_batch_request_v1(). It is classified as CWE-436 (interpretation conflict) and carries a CVSS v3.1 base score of 7.5 (High). The affected endpoint, /wp-json/batch/v1, has shipped with WordPress since version 5.6, so the entry point is present on a large installed base. On its own, the route confusion is a bounded problem.

The second flaw, CVE-2026-60137, is a SQL injection in the author__not_in parameter of WP_Query, the core class that builds most of the database queries WordPress issues. It is classified as CWE-89 and carries a CVSS v3.1 base score of 9.1 (Critical). On its own, it is a data-integrity issue that surfaces when a plugin or theme passes untrusted input into that parameter.

The two combine on WordPress 6.9 and later. The batch endpoint provides the unauthenticated reach, the SQL injection provides the code path, and the result is remote code execution before any authentication step. Exploitation is pre-authentication. As of July 18, 2026, a working proof of concept describing the full mechanism has been published, which lowers the effort required to probe exposed installations.

What assets are affected by wp2shell?

The full RCE chain affects WordPress core versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. A separate, narrower band, WordPress 6.8.0 through 6.8.5, carries only the SQL injection component and is not exposed to the full wp2shell chain. Versions prior to 6.8 are not affected. The fixed releases are 6.8.6, 6.9.5, and 7.0.2, with the 7.1 beta line addressed in 7.1 beta2.

In practice, an affected asset is any internet-facing site running a vulnerable WordPress core version in a default configuration. No add-ons are required for the RCE chain, which removes the usual assumption that a site is only at risk if it runs a specific vulnerable plugin. WordPress powers a large share of public websites, so the affected population spans corporate sites, campaign and product microsites, regional and subsidiary properties, and older installs that are still online but no longer actively maintained.

The 6.8.x distinction matters for triage. A scanner or ticket that tracks only the RCE chain may treat 6.8.x sites as safe, but those sites still require the 6.8.6 update to close the SQL injection. Treating the two CVEs as one problem, rather than one number, keeps the older branch from being overlooked.

What does our data show about exposure patterns?

Exposure in this set is led by Consumer Discretionary at 18.6% of observed assets, with Industrials contributing 15.8% and Communication Services 13.0%. No single sector dominates, and more than half of the observed assets fall outside the top three named sectors.

Consumer Discretionary and Communication Services organizations tend to run large numbers of public-facing brand, campaign, and media properties, and WordPress is a common choice for those sites.

That footprint is often spread across regions, agencies, and business units, which produces many small installs under decentralized ownership. Industrials show a similar pattern through subsidiary and product-line sites that accumulate over time. In each case, the vulnerable asset is rarely the flagship domain and more often a secondary property that receives less patching attention.

The flat spread across sectors, paired with a large Others tail, points to the underlying driver. wp2shell exposure is not a characteristic of one industry. It is an artifact of how widely WordPress is deployed and how loosely many of those deployments are tracked. Sites stood up for a single launch, migration, or regional presence tend to drift out of inventory while remaining reachable, and a core-level flaw like this one reaches every one of them regardless of what the site is for.

Are fixes available?

Yes. WordPress released 6.8.6, 6.9.5, and 7.0.2 on July 17, 2026, and each closes the vulnerabilities relevant to its branch. The 7.1 beta line is fixed in 7.1 beta2. To reduce the exposure window, the WordPress security team also force-pushed automatic updates to affected sites where auto-updates were enabled.

The forced update reduces risk but does not guarantee remediation. A background update can fail or be disabled, so administrators should confirm the version that actually installed on each site rather than assume the update completed. Sites on 6.8.0 through 6.8.5 should be moved to 6.8.6 for the SQL injection even though that branch is outside the full RCE chain.

A patched core closes the vulnerable path but does not undo a compromise that happened before patching. Any site that ran an affected version while reachable should be treated as potentially compromised until reviewed. Defenders should confirm fixed versions directly against their own inventory rather than relying on a single central assumption that all sites updated.

Until patched versions are confirmed on every site, defenders should:

  • Inventory all internet-facing WordPress instances and confirm the running core version
  • Verify that the forced automatic update actually completed on each site
  • Prioritize sites on 6.9.0 or later, which carry the full unauthenticated RCE chain
  • Restrict or block access to the /wp-json/batch/v1 endpoint at the WAF layer until patched
  • Monitor REST API logs for unexpected batch requests and for SQL injection patterns
  • Review themes, plugins, uploads, and administrator accounts on any site that ran a vulnerable version

How can CyCognito help your organization?

CyCognito published an Emerging Threat Advisory for CVE-2026-63030 and CVE-2026-60137 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.

To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.


Request a free scan

See Exactly What Attackers See

Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally .

Request a Scan
Top Attack Paths