Full Report
An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system. Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, found the flaw and reported
Analysis Summary
# Vulnerability: wp2shell WordPress Core Remote Code Execution
## CVE Details
- **CVE ID:** Not yet assigned (as of July 18, 2026)
- **CVSS Score:** N/A (Estimated Critical)
- **CWE:** CWE-89 (SQL Injection) / CWE-436 (Interpretation Conflict)
## Affected Systems
- **Products:** WordPress Core
- **Versions:**
- 6.9.0 through 6.9.4
- 7.0.0 through 7.0.1
- **Configurations:** Default installations (no plugins required). The flaw exists in the REST API batch framework.
## Vulnerability Description
The "wp2shell" vulnerability is a critical flaw in WordPress core involving REST API batch-route confusion combined with a SQL injection issue. Attackers can send a specially crafted anonymous HTTP request to the REST API batch endpoint, leading to unauthenticated Remote Code Execution (RCE). Because the vulnerability resides in the core REST API handling, it affects "bare" installs.
## Exploitation
- **Status:** PoC exists (private/held by researchers); no reports of exploitation in the wild as of July 18, 2026.
- **Complexity:** Low (No preconditions or authentication required).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full system/data access)
- **Integrity:** High (Ability to modify site content and core files)
- **Availability:** High (Potential for site takeover or deletion)
## Remediation
### Patches
- **WordPress 6.9.5:** Fixes the 6.9.x branch.
- **WordPress 7.0.2:** Fixes the 7.0.x branch.
- **WordPress 7.1 beta2:** Contains the fix for the upcoming release.
*Note: WordPress has initiated a forced auto-update for many sites.*
### Workarounds
*These are temporary measures and may break legitimate site integrations:*
1. **WAF Blocking:** Block requests to both `hxxps://example[.]com/wp-json/batch/v1` and `hxxps://example[.]com/?rest_route=/batch/v1`.
2. **Disable REST API:** Use a plugin or code snippet to disable the WP REST API for unauthenticated users entirely.
3. **Drop-in Plugin:** Use a specific filter at `rest_pre_dispatch` to reject anonymous requests specifically targeting the `/batch/v1` route.
## Detection
- **Indicators of Compromise:** Monitor logs for unusual POST requests to the `/batch/v1` endpoint coming from unauthenticated or anonymous IP addresses.
- **Detection Methods:**
- Check the `wp-includes/version.php` or the Site Health dashboard to ensure the version is 6.9.5 or 7.0.2+.
- Use the official "wp2shell" checker provided by Assetnote (Searchlight Cyber) at `hxxps://wp2shell[.]com/`.
## References
- [Vendor Advisory - WordPress 7.0.2 Release](hxxps://wordpress[.]org/news/2026/07/wordpress-7-0-2-release/)
- [Researcher Writeup - Searchlight Cyber (Assetnote)](hxxps://slcyber[.]io/research-center/wp2shell-pre-authentication-rce-in-wordpress-core)
- [WordPress Documentation - Version 7.0.2](hxxps://wordpress[.]org/documentation/wordpress-version/version-7-0-2/)