WordPress Releases Emergency Patch for Critical Vulnerability Allowing Remote Access Without Password on 500 Million Sites

Versions 7.0.2, 6.9.5, and 6.8.6, released on July 17, address the wp2shell chain: two chained CVEs that enable remote code execution without authentication on any standard installation. Public PoC available since the day of the patch.
On July 17, WordPress released versions 7.0.2, 6.9.5, and 6.8.6, emergency fixes for two vulnerabilities in the core of the platform that, when chained together, allow remote code execution by any attacker without credentials. The organization has enabled forced automatic updates for affected sites, a feature that the security team only activates in situations of critical risk.
The chain has been named wp2shell by the security community. There are two distinct CVEs: CVE-2026-63030, a routing confusion in the REST API's batch endpoint, and CVE-2026-60137, an SQL injection in the author__not_in parameter of WP_Query, with a CVSS score of 9.1. Together, these vulnerabilities allow an anonymous HTTP request to completely compromise the server. Searchlight Cyber estimates that over 500 million sites run WordPress. The vulnerable versions cover the 6.8.x, 6.9.x, and 7.0.x series, with no exceptions for installations without additional plugins.
The Chain in Two Steps
The attack starts at the batch endpoint of the REST API, route /wp-json/wp/v2/batch, which processes multiple requests in parallel. CVE-2026-63030 exploits a confusion in the internal parser: a malformed route causes WordPress to treat external data as internal query parameters. This opens the second stage. CVE-2026-60137 takes advantage of the fact that WP_Query does not sanitize the author__not_in field, injecting SQL directly into the database query. This sequence allows execution of commands on the underlying operating system via the classic method of advanced SQLi. No user account, additional plugin, or human interaction is required: a standard WordPress installation is sufficient.
Beazley Security published a detailed analysis of the complete chain in advisory BSL-A1193. The proof of concept code has been publicly available on GitHub since the day of the patch. Cloudflare has deployed WAF rules covering the malicious endpoint, but the protection applies only to customers on Business and Enterprise plans.
The Most Critical Environments
Sites that have disabled automatic updates for operational needs, such as corporate deployments with customized CI/CD pipelines, intranet portals with proprietary themes, and WooCommerce stores with third-party integrations, form the most exposed subset. These are precisely the sites that WordPress cannot force to update and that often concentrate the most valuable data.
In shared hosting platforms and multitenant environments, the risk multiplies: a single compromised server can expose files and databases of dozens of different clients in the same environment, creating cross-liability between the provider and end customers.
IT consultancies and MSPs with WordPress portfolios face two simultaneous liabilities. The first is technical: a compromised site can serve as an entry point for adjacent client systems through shared credentials or database access. The second is regulatory. In the European Union, GDPR obliges data controllers to notify the competent supervisory authority within 72 hours of identifying a breach involving personal data. The penalty for non-notification can reach €10 million or 2% of global annual revenue, whichever is greater.
In the United States, state laws in California and New York set deadlines of 30 to 72 hours. For providers with SLAs covering platform security, contractual liability adds to the regulatory one.
Mitigation and Response Protocol
Updating to 7.0.2, 6.9.5, or 6.8.6 is the only definitive mitigation. Sites that cannot apply the patch immediately have a containment option: block the /wp-json/wp/v2/batch endpoint in the WAF or on the web server. Most editorial and institutional sites do not use this endpoint in production and can block it without functional impact.
Headless sites that depend on the REST API for third-party applications do not have this alternative. For them, the patch is urgent and irreplaceable. Rapid7 has published a technical analysis with indicators of compromise that SOC teams can incorporate into detection rules immediately.
The public exploitation code since July 17 puts all unpatched sites at increasing risk. The pattern documented in critical vulnerabilities of popular CMSs is consistent: massive compromises at scale begin within 72 hours after the PoC becomes available. For consultancies with client portfolios, each site without updates by July 20 represents an open incident vector and a regulatory notification deadline that may already be running.