Public exploits have been released for the critical "wp2shell" remote code execution vulnerabilities affecting WordPress Core, making it imperative that administrators patch their sites immediately.
The wp2shell attack consists of two flaws, tracked as CVE-2026-63030 and CVE-2026-60137, that can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x.
The flaws were discovered by Adam Kues of Searchlight Cyber, which says an unauthenticated attacker can exploit them against a default WordPress installation.
"Searchlight Cyber's security research team has discovered a pre-authentication RCE in WordPress Core," explained Searchlight Cyber.
"The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins."
Searchlight Cyber estimates that more than 500 million websites use WordPress, giving the vulnerability a potentially massive impact, especially now that public proof-of-concept exploits have been released.
Due to the severity of the vulnerabilities, the WordPress security team has enabled forced automatic security updates for supported installations running affected versions, urging site owners to update to WordPress 7.0.2 or 6.9.5 immediately.
"Because this is a security release, it is recommended that you update your sites immediately," WordPress said in its security announcement.
"Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions."
The issue is not a single vulnerability but rather two independent flaws that can be combined into an unauthenticated remote code execution chain.
... continue reading