Skip to content
Tech News
← Back to articles

WordPress Core "wp2shell" RCE flaws get public exploits, patch now

read original more articles
Why This Matters

The release of public exploits for critical WordPress core vulnerabilities underscores the urgent need for site administrators to update their installations. These flaws enable unauthenticated remote code execution, potentially compromising millions of websites and their users. Prompt patching is essential to prevent widespread exploitation and maintain online security.

Key Takeaways

Public exploits have been released for the critical "wp2shell" remote code execution vulnerabilities affecting WordPress Core, making it imperative that administrators patch their sites immediately.

The wp2shell attack consists of two flaws, tracked as CVE-2026-63030 and CVE-2026-60137, that can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x.

The flaws were discovered by Adam Kues of Searchlight Cyber, which says an unauthenticated attacker can exploit them against a default WordPress installation.

"Searchlight Cyber's security research team has discovered a pre-authentication RCE in WordPress Core," explained Searchlight Cyber.

"The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins."

Searchlight Cyber estimates that more than 500 million websites use WordPress, giving the vulnerability a potentially massive impact, especially now that public proof-of-concept exploits have been released.

Due to the severity of the vulnerabilities, the WordPress security team has enabled forced automatic security updates for supported installations running affected versions, urging site owners to update to WordPress 7.0.2 or 6.9.5 immediately.

"Because this is a security release, it is recommended that you update your sites immediately," WordPress said in its security announcement.

"Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions."

The issue is not a single vulnerability but rather two independent flaws that can be combined into an unauthenticated remote code execution chain.

... continue reading