**wp2shell: A Critical Two-Vulnerability Chain in WordPress**
An anonymous HTTP request can execute code on a WordPress site. The vulnerability exists in core, meaning even a default installation with zero plugins is exploitable. Sites running WordPress 6.9 and 7.0 were at risk until July 18, 2026, when WordPress released version 6.9.5 and 7.0.2, enabling forced updates through its auto-update system to remediate the issue.
The vulnerabilities, collectively referred to as **wp2shell**, consist of two distinct flaws: **CVE-2026-63030**, a REST API batch-route confusion, and **CVE-2026-60137**, a SQL injection in WordPress core. When chained together, these vulnerabilities allow an unauthenticated attacker to execute code on affected sites.
### Technical Breakdown
To understand the wp2shell exploit, you must examine each vulnerability independently and how they work in tandem:
1. **CVE-2026-60137 (SQL Injection)**: This vulnerability lies in the `WP_Query` class’s `author__not_in` parameter. When a string is passed instead of an array, the type-checking mechanism fails, allowing raw user input to be injected directly into the SQL query. While serious, this flaw alone only grants database access.
2. **CVE-2026-63030 (Batch Route Confusion)**: The REST API batch endpoint (`/wp-json/batch/v1`) processes multiple requests in a single call. It maintains two parallel arrays to track requests and handlers. A bug in the logic causes these arrays to fall out of sync by one position when an error occurs. This misalignment allows an attacker to submit a malicious request under the context of a different, authorized request.
The true danger emerges when these flaws are combined: the batch route confusion bypasses authentication and access controls, delivering unauthenticated input directly into the vulnerable SQL query. This chain results in Remote Code Execution (RCE) without requiring any prior authentication.
### Scope and Impact
The vulnerabilities affect different WordPress versions in distinct ways:
– **6.8.0 – 6.8.5**: Vulnerable to SQL injection only, patched in 6.8.6.
– **6.9.0 – 6.9.4**: Vulnerable to the full RCE chain, patched in 6.9.5.
– **7.0.0 – 7.0.1**: Vulnerable to the full RCE chain, patched in 7.0.2.
Sites running WordPress 7.1 beta2 include both fixes. Notably, a default WordPress installation (without a persistent object cache) remains susceptible to the full exploit. While persistent object caches like Redis or Memcached can mitigate the RCE component, they do not address the underlying SQL injection.
With WordPress powering over 500 million websites, the potential attack surface is vast. Fortunately, the exploit requires specific conditions and has been addressed with available updates.
### Mitigations and Workarounds
If immediate patching is not feasible, several temporary measures can reduce risk:
– **Block Access to the Batch Endpoint**: Use a Web Application Firewall (WAF) to block both `/wp-json/batch/v1` and `rest_route=/batch/v1`.
– **Disable the REST API**: This prevents unauthenticated access but may disrupt legitimate integrations.
– **Custom Rules**: Implement a drop-in plugin that rejects anonymous requests to the `/batch/v1` endpoint.
These steps are stopgap measures. Applying the official updates remains the only definitive solution.
### FAQ
**Q: Can a site with no plugins still be exploited?**
Yes. The vulnerabilities exist in WordPress core, so even a default installation is at risk.
**Q: What is the role of persistent object cache in this exploit?**
A default installation without a persistent object cache is fully susceptible. Object caches like Redis or Memcached can block the RCE component but not the SQL injection.
**Q: Are forced updates reliable?**
WordPress forces updates for sites with auto-updates enabled. However, sites with updates manually disabled may not receive the patch automatically.
**Q: How can I verify my site is patched?**
Check your WordPress version. Ensure you are running version 6.8.6, 6.9.5, 7.0.2, or later.
**Q: Why are there two CVE IDs for a single exploit chain?**
Each vulnerability in the chain is distinct and carries its own CVE. The batch-route flaw and the SQL injection are separate issues, but together they enable full code execution.
### Conclusion
The wp2shell vulnerabilities highlight the complex interplay between multiple flaws in widely used software. While WordPress responded quickly with patches, the public disclosure of the exploit means defenders must act swiftly. Users should update immediately, while developers and security teams should review the technical details to understand and mitigate similar risks in their own systems. The episode serves as a reminder that even “default” configurations can be vulnerable when multiple overlooked bugs align.



