Back to advisories

WordPress Core "wp2shell" RCE flaws get public exploits, patch now

Critical unauthenticated RCE vulnerabilities in WordPress Core (CVE-2026-63030, CVE-2026-60137) are actively exploited via public PoCs. The wp2shell attack chains REST API and SQL injection flaws to achieve code execution on default installations of WordPress 6.9.x and 7.0.x. All affected WordPress instances are at immediate risk.

CRITICALAdvisoryJul 19, 2026
Action required
Identify and patch all WordPress installations to versions 6.9.5 or 7.0.2 immediately. Hunt logs for REST API batch-route requests and SQL injection patterns targeting wp_users and wp_options tables. Block or isolate any WordPress instances still running 6.9.x or 7.0.x pending patching.
Affected products
WordPress CoreWordPress.orgSearchlight CyberCloudflare