WordPress patches critical flaw letting anyone hijack sites

WordPress released emergency security updates on Friday, closing a critical pre-authentication remote code execution vulnerability that allows an anonymous attacker to take full control of any default WordPress installation with a single HTTP request.

The Vulnerability

Versions 7.0.2 and 6.9.5, released on July 17, 2026, address the flaw tracked as CVE-2026-63030 and dubbed “wp2shell” by the researchers who discovered it. The vulnerability chains a REST API batch request route confusion with SQL injection to achieve unauthenticated RCE — the most severe class of web vulnerability — requiring no login, no special configuration, and no plugins. Nnebula Wwordpress Aaikido Ccloudflare

The bug affects WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. A related but less severe SQL injection issue, CVE-2026-60137, affects versions from 6.8 onward and is patched in 6.8.6. Versions prior to 6.8 are unaffected by either issue. Aaikido Ccloudflare Nnebula

According to a Cloudflare blog post published Friday, the RCE is exploitable “when a persistent object cache is not in use,” a condition that applies to most standard WordPress deployments. The WordPress security team disclosed the vulnerabilities to Cloudflare before the public release, allowing the company to deploy WAF protections at 17:03 UTC. Ccloudflare

Mitigation and Response

WordPress.org has enabled forced automatic updates for affected sites, though deployments with auto-updates disabled or version-controlled environments may not receive the patch automatically. The official WordPress release notice called it the organization’s “highest-severity, highest-priority class of issue”. Wwordpress Nnebula Ccloudflare

For sites that cannot patch immediately, security teams are advised to block both `/wp-json/batch/v1` and the query-string form `?rest_route=/batch/v1` at the WAF level. Blocking only the pretty permalink path leaves the alternate route exposed. Nnebula Aaikido

The Open-Source Paradox

Because WordPress is open source, the public release archive makes the fix — and by extension, a roadmap to the bug — simultaneously available to defenders and attackers. No exploitation has been reported at the time of disclosure, but security researchers noted that with core RCE vulnerabilities, “hours matter more than days”. WordPress powers an estimated 40 percent of all websites, making the window between patch availability and widespread adoption a period of acute risk for unpatched installations. Nnebula