WP2Shell: Why Millions of WordPress Sites Are at Risk | CVE-2026-63030

Wordpress wp2shell
Wordpress wp2shell

The CVE-2026-63030 – “wp2shell”: Why Millions of WordPress Sites Are Vulnerable and Emergency to Patch

If you run a WordPress website—whether it’s a personal blog, a local business page, or a massive e-commerce store—you need to check your dashboard immediately. On July 17, 2026, the WordPress Security Team issued a emergency, critical security update to patch a newly discovered threat dubbed “wp2shell.”

This isn’t normal security flaw. Most WordPress hacks happen because someone forgot to update a third-party plugin or theme. The wp2shell flaw is far more dangerous: it lives inside the core WordPress software itself.

The Threat Profile: What is wp2shell?

Discovered by security researcher Adam Kues at Searchlight Cyber (Assetnote), wp2shell is an exploit chain targeting default WordPress installations.

  • No Plugins Required: An attacker does not need any specific plugin or theme installed on your site to break in. A completely blank, out-of-the-box WordPress site is fully vulnerable.
  • No Login Required: It is a “pre-authentication” vulnerability. Hackers do not need an account, a stolen password, or any special user permissions. They just need your web address.
  • Total Remote Takeover: The flaw allows for Remote Code Execution (RCE). If exploited, an anonymous hacker can run arbitrary code on your hosting server, effectively hijacking your entire website to steal data, install malware, or create permanent backdoors.

How the Attack Chain Works

The exploit combines two newly uncovered vulnerabilities found in WordPress versions 6.9.0 through 7.0.1 (tracked under CVE-2026-63030):

Chain attack works
Chain attack works

The attacker sends a highly targeted request to the site’s default API batch processing endpoint (`/wp-json/batch/v1`). The system gets confused, desynchronizes, and allows the attacker’s instructions to bypass core restrictions entirely, added wordpress advisory.

Who is Impacted?

The vulnerable code was introduced in late 2025 with the release of WordPress 6.9. Check your site’s version right now to see where you stand:

WordPress Version  Vulnerability StatusAction Required
Older than 6.8 Safe (Code does not exist yet)None for this specific bug
6.8.0 to 6.8.5 Partial Risk (Affected by minor SQL flaw only)Update to 6.8.6
6.9.0 to 6.9.4Critical Risk (Full wp2shell Exploit)Update to 6.9.5
7.0.0 to 7.0.1Critical Risk (Full wp2shell Exploit)Update to 7.0.2

What You Need to Do Right Now

Because WordPress powers over 40% of the internet, the core team took the rare step of forcing automatic updates to all connected sites. However, you should never assume your site updated automatically—many hosting environments, custom codebases, or server firewalls block these forced pushes.

  • Step 1: Verify Your Version

Log into your WordPress admin dashboard and look at the “At a Glance” box or check the bottom-right corner. Confirm that you are running 7.0.2, 6.9.5, or 6.8.6. If you aren’t, hit the manual Update Now button immediately.

  • Step 2: Scan Your Site

The researchers who found the bug have released a free, public vulnerability checker at `wp2shell.com`. You can enter your domain there to verify whether your live server is still exposed.

  • Step 3: Emergency Workaround (If You Can’t Update)

If updating right this second will break custom software on your site, you must block access to the vulnerable API path. You can do this by setting a rule in your Web Application Firewall (WAF) or using a security plugin to block anonymous access to:

`/wp-json/batch/v1`
`?rest_route=/batch/v1`

Note: Technical details of the exploit are currently being withheld to give site owners time to patch, but proof-of-concept attacks are already beginning to circulate among hacker communities. Do not delay your update.

Previous Article
eu orders google

EU Orders Google To Share Android Mic, Camera, GPS, Search Data - A Report

Related Posts