+91 80401 38000[email protected]24/7 Expert Support
[email protected]Client Portal →
ServerGurus
← All posts
WordPressCVESecurityManaged Hosting

wp2shell: A Critical WordPress RCE That Needs No Password. Patch Your Site Before Someone Else Does

By ServerGurus Team17 July 20262 min read
wp2shell: A Critical WordPress RCE That Needs No Password. Patch Your Site Before Someone Else Does

If You Run WordPress, Someone Can Already Exploit This

WordPress released version 7.0.2 and 6.9.5 today. The patch fixes CVE-2026-63030, nicknamed wp2shell. This is not a plugin vulnerability. It is not a theme vulnerability. It is a core WordPress flaw that lets an unauthenticated attacker run arbitrary code on your server.

No login required. No plugin required. Default install. One POST request to /wp-json/batch/v1.

An estimated 500 million WordPress sites are vulnerable right now.

What Makes wp2shell Different

Most WordPress RCE vulnerabilities require an authenticated user, a specific plugin, or a misconfiguration. wp2shell needs none of that.

It chains two vulnerabilities:

  1. CVE-2026-60137: SQL injection via WordPress REST API batch route confusion
  2. CVE-2026-63030: Remote code execution via the SQL injection result

The exploit reaches the vulnerable code through a single endpoint: POST /wp-json/batch/v1. No authentication. No special headers. A working proof of concept is already public on GitHub.

Affected Versions

Version Range Status
WordPress 6.9.0 - 6.9.4 Vulnerable
WordPress 7.0.0 - 7.0.1 Vulnerable
WordPress 6.9.5 Patched
WordPress 7.0.2 Patched
WordPress < 6.9.0 Not affected

If your site runs anything between 6.9.0 and 7.0.1, you are vulnerable.

How to Check Your Site

SSH into your server and run:

wp core version --path=/var/www/html

Or from the WordPress admin dashboard, check the "At a Glance" widget for your version number.

If you see 6.9.0 through 6.9.4, or 7.0.0 through 7.0.1, patch immediately.

How to Patch

Option 1: WP-CLI (fastest)

wp core update --path=/var/www/html

Option 2: Admin Dashboard

Go to Dashboard → Updates and click "Update Now."

Option 3: Manual

Download WordPress 6.9.5 or 7.0.2 from wordpress.org and replace core files.

For cPanel/Plesk/DirectAdmin users: Use the WordPress Toolkit or Softaculous one-click update.

Detection: How to Know If You Were Hit

Check your access logs for requests to the batch endpoint around the time of unusual activity:

grep "batch/v1" /var/log/nginx/access.log
grep "batch/v1" /var/log/apache2/access.log

Look for new admin users, unexpected plugin installations, or modified files:

wp user list --path=/var/www/html | grep administrator
wp plugin list --path=/var/www/html | grep -v "inactive"
find /var/www/html -name "*.php" -mtime -3

If you find anything suspicious, restore from a pre-July 17 backup and patch immediately.

How ServerGurus Helps

Every WordPress site on our managed hosting is patched automatically within hours of a critical CVE release. Our monitoring stack flags unpatched installations. If you host with us, your sites are already updated to 7.0.2 or 6.9.5.

If you run WordPress elsewhere and need help patching - or want to move to a host that handles security updates for you - contact our support team.

Patch Today. Do Not Wait.

Public PoC code is available. Mass scanning has already started. The window between disclosure and exploitation for WordPress core RCE vulnerabilities is measured in hours, not days.

Run the update. Check your logs. Move on.

Ready to build your infrastructure?

Get a quote from our Hyderabad-based team - Tier IV datacenter, real support, INR or USD billing.

View pricingRequest a quoteWhatsApp sales