Public exploits published for critical WordPress core flaws, patch urged

by

Public proof of concept exploits have been released for critical WordPress core vulnerabilities known as wp2shell, a chain that can lead to unauthenticated remote code execution on versions 6.9.x and 7.0.x and has prompted immediate patching advice for site owners.

KEY FACTS

  • Flaws The attack chain combines CVE-2026-63030 and CVE-2026-60137.
  • Affected versions WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 are exposed to the full chain.
  • Fix WordPress 6.9.5 and 7.0.2 close the issue.
  • Mitigations Searchlight Cyber recommends blocking anonymous REST API access or restricting batch routes at the WAF level.
  • Protections Cloudflare said it deployed WAF rules for both flaws across proxied accounts.

A technical analysis from Searchlight Cyber says the issue can be triggered by an anonymous user on a stock WordPress installation with no plugins. The company says the two flaws can be chained to reach pre-authentication remote code execution.

The first bug, CVE-2026-63030, is a REST API batch-route confusion flaw introduced in WordPress 6.9. The second, CVE-2026-60137, is an SQL injection issue in the author__not_in parameter of WP_Query that affects WordPress 6.8 and later.

WordPress said the complete attack chain affects versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. It also said the SQL injection bug affects 6.8.0 through 6.8.5, but that older line cannot be used for remote code execution because the batch-route flaw was added later.

The report says the full chain has been fixed in WordPress 6.9.5 and 7.0.2, and the security team has enabled forced automatic updates for supported installations running affected versions. Searchlight Cyber is also using wp2shell.com to let administrators test whether their sites are vulnerable while withholding technical details.

Multiple public exploits have since appeared on GitHub, and some are said to extract password hashes, crack an administrator account and upload a malicious plugin. Other proof of concept code claims to reach remote code execution without admin credentials. WatchTowr said it has seen signs of in-the-wild exploitation after the public releases.

WHY IT MATTERS

WordPress powers a large share of the web, so a flaw that can lead to unauthenticated code execution raises the risk of broad compromise. Site operators are being urged to update immediately, since temporary mitigations are only meant to buy time until patching is complete.