WordPress Core Flaw Risks Global Sites
A dual-vulnerability chain allows unauthenticated attackers to execute code, forcing a rapid, automated security update cycle.
A critical security vulnerability, now widely referred to as wp2shell, has exposed millions of WordPress installations to potential remote code execution by anonymous actors. Because the flaw resides directly within the WordPress core, even base-level configurations are susceptible, making the standard assumption of safety for default installations void.
The Anatomy of the Chain
The threat is comprised of two distinct security defects, identified as CVE-2026-63030 and CVE-2026-60137. The former is a REST API batch-route confusion, while the latter is a serious SQL injection vulnerability. When used together, they allow an attacker to bypass authentication mechanisms entirely and inject malicious commands into the underlying database. The batch-route confusion stems from a logic error in how the /wp-json/batch/v1 endpoint handles concurrent requests, effectively tricking the system into executing malicious input.
The SQL injection component exploits the author__not_in parameter within WP_Query. By supplying a string where the system expects an array, the validation process is bypassed, allowing for raw injection. These two flaws form a lethal combination that has forced developers to prioritize rapid patching.
Versioning and Exposure Risks
- 6.8.0 through 6.8.5: SQL injection vulnerability, patched in 6.8.6.
- 6.9.0 through 6.9.4: Full RCE chain, patched in 6.9.5.
- 7.0.0 through 7.0.1: Full RCE chain, patched in 7.0.2.
The exposure timeline is narrow but significant. The RCE capability was only introduced with the release of version 6.9 on December 2, 2025. While WordPress has initiated forced updates to mitigate the risk, the reliance on automated systems remains a point of concern for administrators who have manually disabled background update features.
The writeup, published under the name wp2shell, says the attack has "no preconditions and can be exploited by an anonymous user."
— Adam Kues, Assetnote
The Disclosure Race
The public availability of the exploit code on GitHub has turned what was initially a controlled disclosure into a frantic race against active exploitation. While research firms like Searchlight Cyber attempted to manage the release of information to give administrators time to patch, the open-source nature of the project meant that the patch itself provided a roadmap for others to identify and weaponize the underlying flaws.
Implications for Web Infrastructure
For organizations relying on WordPress, the primary takeaway is the insufficiency of relying solely on default configurations. While sites utilizing a persistent object cache like Redis may currently fall outside the specific execution path for the RCE chain, this is merely a incidental side effect rather than a structural fix. Administrators must verify their version status immediately, as the window for potential compromise continues to shrink. Given the history of mass exploitation within the ecosystem—such as the previous WP-SHELLSTORM campaign—the speed of patch deployment remains the single most critical factor in preventing widespread site compromise.
Continue Reading
AI Spam Filters Falter Against Salting
Modern LLM-powered email security is struggling to identify phishing attempts that use decades-old text-hiding techniques.
GPT-5.6 Data Erasure: An Honest Error?
OpenAI confirms that its latest model occasionally wipes user files, attributing the behavior to internal alignment miscalculations.
Critical Path Traversal Flaw Found in IBM Langflow OSS
A critical vulnerability in IBM Langflow OSS allows for arbitrary file writes, posing a severe risk to systems utilizing the APIRequest component.