Saturday, July 18, 2026

New WordPress Core Flaw Allows Unauthenticated Code Execution

An anonymous HTTP request can run code on a WordPress site. This issue affects software versions 6.9 and 7.0, which are at risk until the recent patch. WordPress has released updates 6.9.5 and 7.0.2 to fix the problem.

The flaw, known as wp2shell, consists of two bugs with CVE IDs. CVE-2026-63030 relates to a mistake in the REST API, while CVE-2026-60137 is a SQL injection in WordPress. Together, these bugs can allow an anonymous user to execute code on the site.

Adam Kues from Assetnote discovered the batch-route bug and reported it through WordPress’s HackerOne program. Researchers have published details about the attack, which requires no prior conditions to be triggered. The injection flaw has been noted separately by other contributors.

Not all versions have the same vulnerabilities. The SQL injection affects versions up to 6.8.5, while the batch-route issue only appears from version 6.9 onwards. Therefore, users should be aware of which version they are running.

WordPress has not confirmed if automatic updates will reach sites that have switched off this feature. Users should check their version to ensure they are protected. The issue impacts a large number of sites, with over 500 million running WordPress globally.

To protect against this bug until an update is made, users should consider blocking certain API routes or completely disabling the REST API.

Test Your Understanding

Start Quiz

Vocabulary List:
6 words · tap to reveal
ON

Accent

anonymous/əˈnɑnəməs/adjective
not using a real or known name

vulnerabilities/ˌvʌlnərəˈbɪlətiz/noun
weak parts that can be used to harm

injection/ɪnˈdʒɛkʃən/noun
adding harmful code into software or database

execute/ˈɛksɪˌkjuːt/verb
to run a program or command

patch/pætʃ/noun
a small update that fixes software problems

triggered/ˈtrɪɡərd/verb
caused something to start or happen

How much do you know?

What is the code name of the flaw that affects WordPress versions 6.9 and 7.0?
wp2shell
batch-route
CVE-2026-63030
CVE-2026-60137
Which user discovered the batch-route bug?
Adam Kues
WordPress Team
HackerOne
Assetnote
What is the highest affected version for SQL injection vulnerabilities?
6.9
6.9.5
6.8.5
7.0
What is the version number of the recent patch released by WordPress?
6.9.5
7.0.2
6.8.5
7.1
How many WordPress sites are running globally?
100 million
200 million
500 million
1 billion
Which CVE ID relates to the SQL injection vulnerability?
CVE-2026-63030
CVE-2026-60137
CVE-2023-12345
CVE-2023-67890
The batch-route issue affects WordPress versions below 6.9.
WordPress has confirmed that automatic updates will apply to all sites.
An anonymous user can execute code on a WordPress site due to this vulnerability.
The injection flaw requires prior conditions to be triggered.
Adam Kues reported the bug through WordPress's HackerOne program.
All versions of WordPress have the same vulnerabilities related to wp2shell.
WordPress versions affected by the flaw include 6.9 and .
The flaw consists of two bugs with CVE IDs, one of which is CVE-2026- .
To protect against the bug, users should consider blocking certain API .
The SQL injection affects versions up to 6.8 .
The batch-route bug requires conditions to be triggered.
Over million sites run WordPress globally.
This question is required

Test Your Understanding

Start Quiz
Vocabulary List:
6 words · tap to reveal
ON
Accent
anonymous/əˈnɑnəməs/adjective
not using a real or known name
vulnerabilities/ˌvʌlnərəˈbɪlətiz/noun
weak parts that can be used to harm
injection/ɪnˈdʒɛkʃən/noun
adding harmful code into software or database
execute/ˈɛksɪˌkjuːt/verb
to run a program or command
patch/pætʃ/noun
a small update that fixes software problems
triggered/ˈtrɪɡərd/verb
caused something to start or happen

How much do you know?

What is the code name of the flaw that affects WordPress versions 6.9 and 7.0?
wp2shell
batch-route
CVE-2026-63030
CVE-2026-60137
Which user discovered the batch-route bug?
Adam Kues
WordPress Team
HackerOne
Assetnote
What is the highest affected version for SQL injection vulnerabilities?
6.9
6.9.5
6.8.5
7.0
What is the version number of the recent patch released by WordPress?
6.9.5
7.0.2
6.8.5
7.1
How many WordPress sites are running globally?
100 million
200 million
500 million
1 billion
Which CVE ID relates to the SQL injection vulnerability?
CVE-2026-63030
CVE-2026-60137
CVE-2023-12345
CVE-2023-67890
The batch-route issue affects WordPress versions below 6.9.
WordPress has confirmed that automatic updates will apply to all sites.
An anonymous user can execute code on a WordPress site due to this vulnerability.
The injection flaw requires prior conditions to be triggered.
Adam Kues reported the bug through WordPress's HackerOne program.
All versions of WordPress have the same vulnerabilities related to wp2shell.
WordPress versions affected by the flaw include 6.9 and .
The flaw consists of two bugs with CVE IDs, one of which is CVE-2026- .
To protect against the bug, users should consider blocking certain API .
The SQL injection affects versions up to 6.8 .
The batch-route bug requires conditions to be triggered.
Over million sites run WordPress globally.
This question is required

Read More