Home Cybersecurity & Hacking Critical Pre-Authentication Remote Code Execution Vulnerability Discovered in WordPress Core, Triggering Urgent Forced Updates for Millions of Sites

Critical Pre-Authentication Remote Code Execution Vulnerability Discovered in WordPress Core, Triggering Urgent Forced Updates for Millions of Sites

by admin

A severe security vulnerability, allowing anonymous attackers to execute arbitrary code on WordPress websites without prior authentication, has been disclosed and subsequently patched in an urgent release. The critical flaw, affecting WordPress core versions 6.9 and 7.0, means that a bare installation with no plugins is immediately exploitable, posing a significant threat to a vast segment of the internet. WordPress responded swiftly on Friday, July 17, 2026, by deploying versions 6.9.5 and 7.0.2 and leveraging its auto-update system for a "forced update" to mitigate the risk.

The vulnerability was identified by Adam Kues, a security researcher at Assetnote, the attack surface management division of Searchlight Cyber. Kues reported the flaw through WordPress’s established HackerOne bug bounty program, adhering to responsible disclosure protocols. Searchlight Cyber published a preliminary write-up on the vulnerability, branding it "wp2shell," which unequivocally states that the attack "has no preconditions and can be exploited by an anonymous user." This designation underscores the extreme severity of the flaw, as it requires no prior access, authentication, or specific site configuration, making it a prime target for widespread automated exploitation.

Understanding the Severity: Pre-Auth RCE

The term "Pre-Authentication Remote Code Execution" (RCE) signifies one of the most dangerous classes of vulnerabilities in web security. It means an attacker can execute arbitrary commands on a target server before needing to authenticate or log in. This grants immediate and complete control over the compromised website, allowing for data theft, defacement, malware injection, or even using the site as a launchpad for further attacks. When combined with a core vulnerability in a widely used platform like WordPress, the implications are catastrophic.

WordPress, powering an estimated 43% of all websites globally, represents an enormous attack surface. While the total install base exceeds 500 million websites, Searchlight’s report clarifies that the flawed code specifically exists from version 6.9 onward. Given that WordPress 6.9 shipped on December 2, 2025, the affected population comprises sites running releases less than eight months old. While WordPress has not provided an exact figure for the vulnerable population, this still represents millions of relatively recent installations susceptible to compromise.

Discovery, Disclosure, and Mitigation

Adam Kues’s discovery of the vulnerability was a critical intervention. The responsible disclosure via HackerOne allowed WordPress to develop and deploy patches before the full technical details of the exploit were made public. Searchlight Cyber, in line with its commitment to responsible disclosure, has temporarily withheld the detailed technical specifics of the exploit. Instead, they have launched a public-facing checker tool at wp2shell.com, enabling site owners to independently verify if their WordPress instance is vulnerable. This approach aims to give defenders a crucial head start in patching their systems while minimizing the immediate risk of opportunistic exploitation by malicious actors.

WordPress responded with remarkable speed, releasing security updates 6.9.5 and 7.0.2 on July 17, 2026. These updates specifically address the pre-authentication RCE vulnerability in the core. The affected version ranges are primarily 6.9 and 7.0. Additionally, WordPress 7.1 beta2 also carries the same fix, ensuring that even pre-release versions are secured. It is important to note that sites still operating on older 6.8 branches also received an update (6.8.6), though this particular patch addresses a different SQL injection bug reported by a separate research team, highlighting a broader ongoing effort to fortify the platform.

Forced Updates and the Auto-Update Dilemma

A significant aspect of WordPress’s response is the implementation of "forced updates" through its auto-update system. This mechanism is designed to push critical security patches to a vast number of installations rapidly, overriding user-configured settings in some cases. However, WordPress has not clarified whether this forced push reaches sites that have explicitly disabled auto-updates. This ambiguity necessitates that site administrators actively verify the version they are running rather than assuming the patch has landed. Manual checks and updates remain the most reliable course of action for absolute certainty.

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The reliance on forced updates for critical vulnerabilities highlights the continuous tension between user control and security imperatives in open-source software. While auto-updates are a boon for many less-technical users, preventing a massive wave of compromises, administrators of larger or more complex sites often disable them to ensure compatibility and stability with custom themes, plugins, and integrations. For these administrators, the onus remains on proactive monitoring and manual patching.

Technical Details and the REST API

WordPress’s official release post describes Kues’s finding as "a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution." This description offers more insight into the nature of the flaw than the initial researcher’s write-up. It indicates a complex vulnerability chain:

  1. REST API Batch-Route Confusion: The WordPress REST API allows applications to interact with the website programmatically. The "batch endpoint" (available since WordPress 5.6 in November 2020) enables clients to send multiple requests in a single HTTP request, improving efficiency. "Batch-route confusion" suggests that the API server could misinterpret or incorrectly process sequences of requests within a batch, potentially allowing an attacker to bypass security checks or invoke unintended functions.
  2. SQL Injection Issue: This common vulnerability allows attackers to manipulate database queries by injecting malicious SQL code. In this context, it likely means that an attacker could craft specific input that, when processed through the confused batch route, leads to an exploitable SQL injection.
  3. Leading to Remote Code Execution (RCE): The most critical outcome. A successful SQL injection, especially when it can manipulate database functions or file paths, can often be escalated to RCE, giving the attacker full control over the server.

The patch for this vulnerability touched three core files, as listed on the version page for 7.0.2:

  • /wp-includes/rest-api/class-wp-rest-server.php: This file is central to how the REST API processes requests. Changes here likely address the "batch-route confusion."
  • /wp-includes/class-wp-query.php: This class handles database queries in WordPress. Modifications here would target the SQL injection aspect.
  • /wp-includes/rest-api.php: Another core file for the REST API, potentially related to how API requests are initialized or routed.

The fact that the batch endpoint has existed since WordPress 5.6 (November 2020) but became exploitable only from version 6.9 onward strongly suggests that a change introduced in WordPress 6.9 (released December 2, 2025) inadvertently opened this attack vector. What specific change led to this vulnerability remains undisclosed, but it highlights the delicate balance of introducing new features or optimizations while maintaining robust security.

Absence of CVE and Impact on Tracking

As of July 18, neither the WordPress advisories nor Searchlight Cyber’s write-up carried a CVE ID or a CVSS score. This absence has immediate implications for the cybersecurity community.

  • CVE-keyed Scanners and Inventories: Automated security scanners and asset management systems that rely on CVE IDs to identify vulnerabilities will not flag this specific issue. Organizations that depend on these tools for vulnerability management may miss the critical patch requirement.
  • CISA KEV Catalog: The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities (KEV) Catalog, which lists vulnerabilities that have been observed being actively exploited in the wild. Federal agencies are mandated to patch vulnerabilities in the KEV catalog within specific timeframes. Without a CVE ID, CISA cannot formally add this vulnerability to its catalog, potentially delaying awareness and remediation efforts for entities reliant on this resource.

In the interim, organizations are advised to track this vulnerability by its version numbers (WordPress 6.9.5 and 7.0.2) and the descriptive name "wp2shell." This manual tracking emphasizes the need for proactive security measures beyond automated scanning tools in rapidly evolving threat landscapes.

Immediate Mitigations for Unpatched Systems

For administrators who cannot immediately update their WordPress sites, Searchlight Cyber has offered several stopgap mitigations. These measures are designed to block anonymous access to the vulnerable batch endpoint but come with a caveat: they are temporary solutions and may disrupt legitimate integrations that rely on the REST API.

  1. Disable the Batch API Endpoint: This is the most direct approach. By preventing access to /wp-json/batch/v1, attackers cannot exploit the vulnerability. However, any plugins or themes that utilize the batch API for performance or functionality will cease to work correctly.
  2. Restrict Access to the REST API: Implementing server-level rules (e.g., via .htaccess or Nginx configurations) to restrict access to /wp-json/ or specific REST API endpoints to known, trusted IP addresses or authenticated users can prevent anonymous exploitation. This is a more granular approach but still risks breaking legitimate unauthenticated API calls.
  3. Implement Web Application Firewall (WAF) Rules: A WAF can be configured to detect and block malicious requests targeting the batch endpoint. Custom rules can be written to identify patterns associated with the wp2shell exploit. This offers a layer of protection without directly altering the WordPress core, but requires a WAF solution and ongoing rule maintenance.

These mitigations are strictly temporary. The only definitive solution is to update WordPress to versions 6.9.5, 7.0.2, or 7.1 beta2 (or later).

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

The Broader Threat Landscape: Mass Exploitation

The discovery of wp2shell comes amidst a pervasive threat landscape characterized by mass exploitation campaigns targeting WordPress vulnerabilities. The article highlights a recent example: the "WP-SHELLSTORM" crew, who reportedly compromised over 17,000 sites using a caching-plugin flaw. This particular bug was already public and patched, and only worked on a non-default setting, yet it still led to widespread compromise. The wp2shell vulnerability, being a pre-authentication RCE in core with no preconditions, is significantly more dangerous and has the potential for even broader impact.

The speed with which vulnerabilities can be weaponized is a constant challenge. The article references a similar anonymous SQL injection bug in Drupal core (CVE-2026-9082) that was patched in May. Searchlight Cyber published a "same-day teardown" with two working proofs of concept for the Drupal flaw. This demonstrates the rapid pace at which skilled researchers (and by extension, malicious actors) can reverse-engineer patches to develop exploits. While Searchlight Cyber has chosen to withhold technical details for wp2shell, the precedent suggests that this period of grace may be limited.

The Open-Source Security Dilemma

The situation with wp2shell encapsulates a fundamental dilemma inherent to open-source software security. WordPress core, including its patches, is publicly available in release archives. When a security fix is shipped, it inherently provides a "map to the bug" for anyone with sufficient technical expertise to compare the patched code with the vulnerable versions. This transparency is a cornerstone of open-source development, fostering trust and allowing for independent security audits. However, it also means that the window of opportunity for attackers to reverse-engineer and exploit a vulnerability is directly linked to how quickly the patch reaches affected sites.

WordPress’s decision to deploy forced updates on Friday, July 17, 2026, was a direct attempt to "pull that lever" – to maximize the speed of patch deployment and get ahead of potential mass exploitation. The race is now between the rate of successful auto-updates and manual patching by site owners, and the speed at which attackers can develop and deploy exploits based on the publicly available patches. Network traffic analysis targeting /wp-json/batch/v1 will eventually reveal when attackers arrive, and WordPress’s internal version statistics will indicate the efficacy of the patching efforts. The outcome of this race, particularly the number of sites compromised versus those successfully patched, will define the narrative of this critical incident.

Conclusion and Recommendations

The wp2shell vulnerability represents a serious threat to the WordPress ecosystem. The combination of pre-authentication RCE, a core component, and the vast install base of WordPress necessitates immediate action from site administrators.

  • Prioritize Updates: The most crucial step is to update WordPress to versions 6.9.5 or 7.0.2 (or later) immediately. Do not rely solely on auto-updates; verify your site’s version.
  • Implement Mitigations: If immediate patching is impossible, deploy the recommended stopgap measures (disabling batch API, restricting REST API access, or WAF rules) with caution, understanding potential compatibility issues.
  • Stay Informed: Monitor official WordPress security announcements and reputable cybersecurity news sources for further technical details or exploit attempts.
  • Regular Backups: Maintain frequent and reliable backups of your website data and files, enabling quick recovery in case of compromise.
  • Security Best Practices: Continue to follow general WordPress security best practices, including using strong passwords, keeping plugins and themes updated, and utilizing security plugins for additional layers of protection.

While no exploitation attempts had been publicly reported as of July 18, the absence of a CVE ID means that many traditional monitoring systems are not yet specifically looking for this threat. The open-source nature of WordPress ensures that the details of the vulnerability will eventually become widely known. The speed and decisiveness of WordPress’s patching efforts, coupled with the proactive response of site administrators, will be the determining factors in limiting the potential impact of this critical vulnerability.

You may also like

Leave a Comment