WordPress Core "wp2shell" RCE flaws get public exploits, patch now
Key Points:
- Critical "wp2shell" remote code execution vulnerabilities (CVE-2026-63030 and CVE-2026-60137) have been discovered in WordPress Core versions 6.9.x and 7.0.x, allowing unauthenticated attackers to execute code remotely on default installations.
- The vulnerabilities involve a REST API batch-route confusion flaw combined with a high-severity SQL injection in the 'author__not_in' parameter, enabling a chained attack that affects over 500 million WordPress sites.
- WordPress has released security updates (versions 7.0.2 and 6.9.5) and enabled forced automatic updates for affected installations, urging immediate patching to prevent exploitation.
- Public proof-of-concept exploits have been published, and initial signs of in-the-wild exploitation have been reported, increasing the urgency for site administrators to update or apply temporary mitigations like blocking REST API access.
- Cloudflare has deployed Web Application Firewall protections for these vulnerabilities across all plans, but emphasizes that WAF rules are a temporary measure and cannot replace updating WordPress to patched versions.