An anonymous HTTP request can run code on a WordPress site. This issue affects software versions 6.9 and 7.0, which are at risk until the recent patch. WordPress has released updates 6.9.5 and 7.0.2 to fix the problem.
The flaw, known as wp2shell, consists of two bugs with CVE IDs. CVE-2026-63030 relates to a mistake in the REST API, while CVE-2026-60137 is a SQL injection in WordPress. Together, these bugs can allow an anonymous user to execute code on the site.
Adam Kues from Assetnote discovered the batch-route bug and reported it through WordPress’s HackerOne program. Researchers have published details about the attack, which requires no prior conditions to be triggered. The injection flaw has been noted separately by other contributors.
Not all versions have the same vulnerabilities. The SQL injection affects versions up to 6.8.5, while the batch-route issue only appears from version 6.9 onwards. Therefore, users should be aware of which version they are running.
WordPress has not confirmed if automatic updates will reach sites that have switched off this feature. Users should check their version to ensure they are protected. The issue impacts a large number of sites, with over 500 million running WordPress globally.
To protect against this bug until an update is made, users should consider blocking certain API routes or completely disabling the REST API.
Test Your Understanding
How much do you know?





