New wp2shell WordPress Core Flaw Allows Unauthorized Attackers to Execute Code

An anonymous HTTP request can run code on a WordPress site. The bug is internal, so an empty install with zero plugins is usable.
Every domain 6.9 and 7.0 was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and did what it calls forced updates through its automatic update system.
Adam Kues at Assetnote, the attack domain management arm of Searchlight Cyber, discovered the bug and reported it to HackerOne’s WordPress platform. Writing, published under the name wp2shellit says the attack is “unconditional and can be exploited by an unknown user.”
The company is sitting on technical details for now and has put a test on wp2shell.com instead, so owners can test their own for example.
WordPress released 6.9.5 and 7.0.2 on July 17, 2026, disabling RCE for pre-authorization that could trigger an anonymous request against automatic installation without plugins. Two ranges are affected:
- 6.9.0 to 6.9.4, fixed in 6.9.5
- 7.0.0 to 7.0.1, fixed in 7.0.2
WordPress did not specify that the forced push reaches sites that have turned off auto-renew. Check what you are actually running rather than assuming it has arrived.
7.1 beta2 carries the same fix. Sites on 6.8 have an update pending as well, but 6.8.6 is the second SQL injection bug in the same round, reported by a different team.
Searchlight posts estimates that more than 500 million websites use WordPress. That figure is the total number of installations, not the number of vulnerable people: the flawed code only exists from 6.9 onwards, and 6.9 was shipped on 2 December 2025. So every affected site is running a release less than eight months old, and there’s no telling how many sites that includes.
WordPress comes more in the category of bug than researcher. Its post describes Kues’ findings as “REST API batch-route confusion and SQL injection problem leading to Remote Code Execution.” The release includes one critical bug and one high severity, and WordPress doesn’t say which one.
The version page lists three files 7.0.2 affected, including both fixes: /wp-includes/rest-api/class-wp-rest-server.php, /wp-includes/class-wp-query.php, and /wp-includes/rest-api.php. The fate of the group is not new. WordPress has shipped it since 5.6 in November 2020 and has written the request format publicly since then. Nothing has been published so far explaining what has changed in 6.9 to enable it.
No advisor has a CVE ID or CVSS score, and no CVE record has appeared as of July 18. CVE-keyed scanners and lists will not flag this one, and CISA requires a CVE before adding anything to the KEV catalog. Follow it with a version number instead.
If you can update today
All of Searchlight’s mitigation offers drop at the end of unknown callers not at the end of the stack. Three options, all blank until you update, and all capable of breaking the official integration:
- In WAF, block both /wp-json/batch/v1 and rest_route=/batch/v1. The firm makes it clear that both should go, because a rule that only covers the /wp-json path leaves the query string route open.
- Disable WP REST API, which kills unauthorized REST access transactions.
- A short logging plugin that publishes and rejects anonymous /batch/v1 requests to rest_pre_dispatch.
No exploit attempts have been reported since July 18. With no CVE to mark and no public signature to match, no one really cares anymore.
Big WordPress exploitation is an industry now. Before its server was leaked in June, a single caching-plugin bug found the WP-SHELLSTORM staff on more than 17,000 sites by its count. That bug was public, has already been removed, and only works in a non-default setting.
When Drupal patched an anonymous SQL injection into its context in May, Searchlight turned that public fix into a same-day takedown with two working proofs of concept. That was someone else’s bug and someone else’s patch, and there’s nothing forcing the company to do the same for theirs. But it took a day, and the people who set that clock are now betting that silence buys the defenders time.
WordPress core is open source, and 7.0.1 and 7.0.2 both live in the public release repository, so a comparison is available to anyone who wants it. That’s the bane of every open source project: you can’t send a fix without sending a map to the bug, and the only thing left is how fast the patch gets to sites before someone reads it.
WordPress pulled that feature on Friday. The traffic against batch/v1 will be visible when the attackers arrive, and the statistics of the WordPress version will show that the patch got there first. Only one of those numbers ever made the news.



