Updated
Updated · The Hacker News · Jul 17
WordPress Pushes 6.9.5 and 7.0.2 to Patch Pre-Auth RCE in 6.9-7.0 Core
Updated
Updated · The Hacker News · Jul 17

WordPress Pushes 6.9.5 and 7.0.2 to Patch Pre-Auth RCE in 6.9-7.0 Core

3 articles · Updated · The Hacker News · Jul 17

Summary

  • WordPress released 6.9.5 and 7.0.2 on July 17 and triggered forced auto-updates to close a critical flaw that lets an anonymous HTTP request execute code on default installs with no plugins.
  • Assetnote researcher Adam Kues reported the bug, dubbed wp2shell; WordPress said it stems from REST API batch-route confusion and SQL injection leading to remote code execution.
  • Affected versions span 6.9.0-6.9.4 and 7.0.0-7.0.1, while 7.1 beta2 already includes the fix; WordPress has not said whether forced updates reach sites that disabled auto-updates.
  • No CVE or CVSS had been issued by July 18, limiting scanner and CISA KEV visibility, so defenders are being told to track exposure by version number instead.
  • Searchlight said no exploitation had been reported yet, but warned public patch diffs could quickly aid attackers; temporary mitigations focus on blocking anonymous access to /wp-json/batch/v1 and rest_route=/batch/v1.

Insights

How did a critical hackable flaw get into WordPress's core, and what does it mean for API security everywhere?
Is this WordPress vulnerability a warning of a new wave of AI-powered, automated cyberattacks on the web?

Critical "wp2shell" RCE Hits WordPress: What Site Owners Must Do Now to Prevent Mass Exploitation

Overview

On July 17, 2026, a critical remote code execution vulnerability called 'wp2shell' was discovered in WordPress, posing an immediate threat to site security. This flaw targets the REST API, specifically the /wp-json/batch/v1 endpoint, and allows anonymous attackers to execute arbitrary code, risking the integrity of affected sites. The vulnerability is a sophisticated chain of two issues: a REST API batch request handler confusion and an unauthenticated SQL injection. The handler confusion lets attackers manipulate how requests are processed, paving the way for SQL injection and full site compromise. Immediate updates and temporary mitigations are essential to protect WordPress installations.

...