WordPress Core "wp2shell" RCE flaws get public exploits, patch now
AI Generated Image

WordPress Core "wp2shell" RCE flaws get public exploits, patch now

BleepingComputer technology

Key Points:

  • Critical "wp2shell" remote code execution vulnerabilities (CVE-2026-63030 and CVE-2026-60137) have been discovered in WordPress Core versions 6.9.x and 7.0.x, allowing unauthenticated attackers to execute code remotely on default installations.
  • The vulnerabilities involve a REST API batch-route confusion flaw combined with a high-severity SQL injection in the 'author__not_in' parameter, enabling a chained attack that affects over 500 million WordPress sites.
  • WordPress has released security updates (versions 7.0.2 and 6.9.5) and enabled forced automatic updates for affected installations, urging immediate patching to prevent exploitation.
  • Public proof-of-concept exploits have been published, and initial signs of in-the-wild exploitation have been reported, increasing the urgency for site administrators to update or apply temporary mitigations like blocking REST API access.
  • Cloudflare has deployed Web Application Firewall protections for these vulnerabilities across all plans, but emphasizes that WAF rules are a temporary measure and cannot replace updating WordPress to patched versions.

Trending Business

Trending Technology

Trending Health