Public exploits have been released for a critical WordPress Core vulnerability chain dubbed “wp2shell,” and administrators are being urged to patch immediately. The chain combines two flaws, tracked as CVE-2026-63030 and CVE-2026-60137, into a pre-authentication remote code execution exploit that works against default WordPress installations with no plugins required.

The vulnerabilities were discovered by Adam Kues of Searchlight Cyber, which noted the attack has no preconditions and can be carried out by an anonymous user. Given that WordPress powers an estimated 500 million websites, the exposure is significant.

How the chain works

CVE-2026-63030 is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. On its own it is not exploitable for RCE, but it can be combined with CVE-2026-60137, a high-severity SQL injection flaw in the ‘author__not_in’ parameter of WP_Query affecting WordPress 6.8 and later. Because the REST API bug did not exist before 6.9, the full RCE chain only affects WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1, while the SQL injection alone affects 6.8.0 through 6.8.5.

Due to the severity, the WordPress security team enabled forced automatic updates for supported installations running affected versions. Site owners should confirm they are running WordPress 7.0.2 or 6.9.5, both of which contain the fix.

Public exploits and active exploitation

Searchlight Cyber initially withheld technical details and instead launched wp2shell.com, a site allowing administrators to check whether their installs are vulnerable. Since then, multiple proof-of-concept exploits have appeared publicly on GitHub. Some extract password hashes via the SQL injection flaw, crack an administrator password, then upload a malicious plugin to execute commands. Others claim to achieve pre-authentication RCE without needing any credentials, consistent with Searchlight Cyber’s original description.

Security firm watchTowr says it has already observed the released PoCs in circulation and is seeing early signs of in-the-wild exploitation. watchTowr’s CEO noted that unauthenticated, high-impact WordPress Core vulnerabilities of this scale are rare, which is driving urgency around patching.

Mitigations for unpatched sites

For organizations that cannot immediately update, Searchlight Cyber recommends installing a plugin that blocks anonymous REST API access, or blocking the /wp-json/batch/v1 and ?rest_route=/batch/v1 endpoints at the WAF level. These measures are described as temporary only.

Cloudflare has also deployed WAF rules across all plans, including free tier, to block exploitation attempts against both CVEs for customers proxied through its platform, though it stresses that WAF protection is not a substitute for patching.

Given the availability of public exploits and reported in-the-wild activity, administrators should update to WordPress 7.0.2 or 6.9.5 without delay.