wp2shell: A Critical WordPress RCE That Needs No Password. Patch Your Site Before Someone Else Does

If You Run WordPress, Someone Can Already Exploit This
WordPress released version 7.0.2 and 6.9.5 today. The patch fixes CVE-2026-63030, nicknamed wp2shell. This is not a plugin vulnerability. It is not a theme vulnerability. It is a core WordPress flaw that lets an unauthenticated attacker run arbitrary code on your server.
No login required. No plugin required. Default install. One POST request to /wp-json/batch/v1.
An estimated 500 million WordPress sites are vulnerable right now.
What Makes wp2shell Different
Most WordPress RCE vulnerabilities require an authenticated user, a specific plugin, or a misconfiguration. wp2shell needs none of that.
It chains two vulnerabilities:
- CVE-2026-60137: SQL injection via WordPress REST API batch route confusion
- CVE-2026-63030: Remote code execution via the SQL injection result
The exploit reaches the vulnerable code through a single endpoint: POST /wp-json/batch/v1. No authentication. No special headers. A working proof of concept is already public on GitHub.
Affected Versions
| Version Range | Status |
|---|---|
| WordPress 6.9.0 - 6.9.4 | Vulnerable |
| WordPress 7.0.0 - 7.0.1 | Vulnerable |
| WordPress 6.9.5 | Patched |
| WordPress 7.0.2 | Patched |
| WordPress < 6.9.0 | Not affected |
If your site runs anything between 6.9.0 and 7.0.1, you are vulnerable.
How to Check Your Site
SSH into your server and run:
wp core version --path=/var/www/html
Or from the WordPress admin dashboard, check the "At a Glance" widget for your version number.
If you see 6.9.0 through 6.9.4, or 7.0.0 through 7.0.1, patch immediately.
How to Patch
Option 1: WP-CLI (fastest)
wp core update --path=/var/www/html
Option 2: Admin Dashboard
Go to Dashboard → Updates and click "Update Now."
Option 3: Manual
Download WordPress 6.9.5 or 7.0.2 from wordpress.org and replace core files.
For cPanel/Plesk/DirectAdmin users: Use the WordPress Toolkit or Softaculous one-click update.
Detection: How to Know If You Were Hit
Check your access logs for requests to the batch endpoint around the time of unusual activity:
grep "batch/v1" /var/log/nginx/access.log
grep "batch/v1" /var/log/apache2/access.log
Look for new admin users, unexpected plugin installations, or modified files:
wp user list --path=/var/www/html | grep administrator
wp plugin list --path=/var/www/html | grep -v "inactive"
find /var/www/html -name "*.php" -mtime -3
If you find anything suspicious, restore from a pre-July 17 backup and patch immediately.
How ServerGurus Helps
Every WordPress site on our managed hosting is patched automatically within hours of a critical CVE release. Our monitoring stack flags unpatched installations. If you host with us, your sites are already updated to 7.0.2 or 6.9.5.
If you run WordPress elsewhere and need help patching - or want to move to a host that handles security updates for you - contact our support team.
Patch Today. Do Not Wait.
Public PoC code is available. Mass scanning has already started. The window between disclosure and exploitation for WordPress core RCE vulnerabilities is measured in hours, not days.
Run the update. Check your logs. Move on.