WordPress patches wp2shell pre-auth RCE in 7.0.2 and 6.9.5
WordPress 7.0.2 and 6.9.5 shipped July 17 to close CVE-2026-63030 — a pre-auth RCE in Core built on the CVE-2026-60137 SQL injection. Detection PoC is already public.
WordPress released 7.0.2 and 6.9.5 on July 17, 2026 to patch CVE-2026-63030 — dubbed wp2shell by its discoverers — a pre-authentication remote code execution chain in Core. The RCE rides on CVE-2026-60137, a separate SQL injection in WP_Query, backported to the 6.8 branch as 6.8.6. Forced auto-updates were enabled on affected installs the same day. Detection PoC code is already on GitHub. Primary source: the Searchlight Cyber / Assetnote write-up at slcyber.io and the Rapid7 emergent-threat report at rapid7.com.
What the chain does
Two flaws, one exploit path.
- CVE-2026-60137 — SQL injection in the
author__not_inparameter ofWP_Query. Crafted input alters the underlying query. CVSS 9.1. Present from WordPress 6.8 onward. - CVE-2026-63030 — unauthenticated RCE via a route-confusion bug in the REST API batch endpoint, chained to the SQLi to write PHP through the database and execute it. CVSS 9.8. Present from WordPress 6.9 onward.
Exploitation requires no login, no plugins, no special configuration. It targets the default install. One caveat carried in the Rapid7 advisory: the RCE chain requires that a persistent object cache is not in use. Most out-of-the-box WordPress installs meet that condition.
Affected versions
- CVE-2026-63030 (RCE): 6.9.0 through 6.9.4, and 7.0.0 through 7.0.1.
- CVE-2026-60137 (SQLi): 6.8 and later, including the 6.9 and 7.0 branches.
- Anything before 6.8 is not affected by either bug.
Patched versions
- 7.0.2 — main branch fix.
- 6.9.5 — 6.9 backport.
- 6.8.6 — 6.8 backport, SQLi only (6.8 is not exposed to the RCE).
- 7.1 Beta 2 — pre-release fix for the 7.1 line.
The 6.9.5 / 7.0.2 releases are the entry points if you're on production. Because WordPress.org enabled forced automatic updates for affected sites, most sites will roll forward without operator action — but administrators should verify the version that actually installed rather than trusting the automatic mechanism.
Exploitation status
Not confirmed in-the-wild at time of writing — no vendor, GreyNoise or CERT report naming exploitation attempts against production sites, per the coverage indexed by Rapid7 and The Hacker News. What is public:
- A detection PoC for both the batch route confusion and the SQL injection is on GitHub at Senanfurkan/wordpress-cve-2026-63030. It ships both destructive and non-destructive test methods.
- Cloudflare deployed WAF rules for both CVEs on July 17.
Given the CVSS 9.8 rating, a default-install attack surface, and a public PoC on day one, "not seen yet" should be read as "not seen yet." Assume mass scanning within days.
Action checklist
- Update to WordPress 7.0.2 or 6.9.5 immediately. If you run 6.8.x, update to 6.8.6. Confirm the new version in
wp-admin— auto-update failures on plugins with hard version pins are the classic silent-fail path. - Verify the forced auto-update actually completed on every host. WordPress.org enabled it for affected installs, but staging sites, dev branches, and installs with
WP_AUTO_UPDATE_COREset tofalsewill not have taken it.wp core versionon the command line is the quickest way to check at scale. - Deploy the Cloudflare WAF managed rules for CVE-2026-63030 and CVE-2026-60137 if you sit behind Cloudflare — see the rule announcement. For non-Cloudflare edge, block or heavily inspect requests to
/wp-json/wp/v2/batch/v1and any request touchingauthor__not_inonWP_Query-backed endpoints. - Audit the last 30 days of access logs for the batch endpoint and for
author__not_inin query strings. Requests during that window that don't correspond to a plugin or admin action are the first place to look. - Rotate
wp-config.phpsecrets (AUTH_KEY,SECURE_AUTH_KEY, etc.) on any site you cannot cleanly rule out as compromised. RCE via a chained SQLi lets the attacker read and modify thewp_optionstable; secrets exposure is the low-effort persistence path.
Context
wp2shell is the second WordPress Core RCE chain publicly disclosed in 2026 — the previous being the plugin-boundary Requests bug earlier this year — but the first this year that requires no plugins, no configuration, and no user interaction to reach RCE. The default-install attack surface is what makes it materially different from the average WordPress advisory: security teams historically triage WordPress CVEs by plugin footprint, and this one bypasses that mental model.
The author__not_in SQL injection is also worth noting on its own. The parameter has existed in WP_Query for years; it's the sort of query-argument bug that survives long past the code review that should have caught it because the surrounding sanitization functions carry the appearance of safety without the substance. Anyone auditing custom REST endpoints against WP_Query in third-party plugins should assume additional exposure until each plugin's release notes explicitly address CVE-2026-60137.
What other outlets missed
Most coverage at The Hacker News, Cyber Kendra and SecurityOnline framed wp2shell around "millions of sites at risk" without flagging the persistent-object-cache condition that Rapid7's advisory calls out. Sites running Memcached or Redis as a persistent object cache — a common performance tuning at scale — are not exposed to the RCE chain even on vulnerable versions. That's a triage lever managed hosting providers will want to pull first: the SQLi still needs patching everywhere, but the RCE risk collapses on cached fleets.