A Real Pre-Auth RCE, and a Headline That Skips the Fine Print
On July 17, 2026, WordPress shipped 7.0.2, 6.9.5, and 6.8.6 to fix a chain the researchers named wp2shell. The headline version is accurate and alarming: an anonymous HTTP request can run code on a default WordPress install, no login, no plugins, core only. That is a genuine pre-authentication remote code execution in the most widely deployed CMS on the internet, and it deserves to be taken seriously.
The fine print is where the panic and the reality separate. Whether your site is actually exploitable by the RCE comes down to three conditions, and a large share of real-world WordPress installs fail at least one of them. This is not a reason to skip patching, patch anyway and patch today, but it is the difference between a measured response and a fire drill. Here is what is true, verified against NVD and the WordPress advisory, and how to tell in two minutes which category you are in.
The Two Bugs
wp2shell is not one vulnerability, it is two chained together, and keeping them straight is the whole story.
| CVE | What it is | Affected | Fixed |
|---|---|---|---|
| CVE-2026-63030 | REST API batch endpoint route confusion, the RCE half of the chain | 6.9.0-6.9.4, 7.0.0-7.0.1 | 6.9.5, 7.0.2 |
| CVE-2026-60137 | SQL injection in the author__not_in parameter of WP_Query | 6.8.0-6.8.5, 6.9.0-6.9.4, 7.0.0-7.0.1 | 6.8.6, 6.9.5, 7.0.2 |
The route-confusion bug (63030) is what lets an unauthenticated request reach the injectable code path through the /wp-json/batch/v1 endpoint. The SQL injection (60137) is the payload that turns a reachable query into database control and, from there, code execution. Neither is the full RCE alone. Chained on an affected version, they are.
wp2shell was found by Adam Kues of Assetnote (Searchlight Cyber's attack-surface arm) and reported through WordPress's HackerOne program. The SQL injection was reported separately by other researchers, which is why it carries its own CVE.
The CVSS Scores Disagree, Badly
Before the "how exposed am I" part, a caveat about the numbers, because you will see wildly different severities quoted and it is not an error, it is a genuine disagreement between scoring bodies.
| CVE | WPScan (CNA) | CISA-ADP |
|---|---|---|
| CVE-2026-63030 (RCE chain) | 9.8 Critical | 7.5 High |
| CVE-2026-60137 (SQL injection) | 5.9 Medium | 9.1 Critical |
Read that carefully. On the RCE, WPScan says 9.8 critical and CISA says 7.5 high. On the SQL injection, they flip: WPScan says 5.9 medium, CISA says 9.1 critical. The two organisations are scoring the same bugs from opposite ends. WordPress's own advisory calls the chain critical and the injection high.
The practical read: treat the chain as critical. When reputable scorers disagree by this much, the safe assumption is the higher number, and the one thing everyone agrees on is that a working RCE against core WordPress is at the top of the scale.
The Three Conditions That Decide Your Exposure
Here is the part the "millions of sites, patch now" coverage skips. To be exploitable by the RCE chain, all three of these have to be true at once.
Condition 1: You are on an affected version
The RCE chain requires the route-confusion bug, which only exists in 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1.
- Below 6.9: the route confusion is not present. You are not exposed to the RCE at all. (6.8.x is still exposed to the SQL injection on its own, see below.)
- 6.9.5, 7.0.2, or later: patched.
- Already auto-updated: WordPress force-pushed this through the automatic background update system. If your site takes minor auto-updates, which is the default, it may already be on the fixed release. Do not assume, verify, but do not panic either.
Condition 2: You do not run a persistent object cache
This is the condition almost every write-up omits, and it is the most consequential. Cloudflare, who wrote the emergency WAF rules, confirmed that the vulnerable code path is only reachable when a persistent object cache is not in use.
In plain terms: if your site has a real object cache configured, Redis or Memcached behind an object-cache.php drop-in, the RCE path is not reachable. That describes a large fraction of performance-optimised and professionally hosted WordPress sites. It does not describe the typical small shared-hosting install, which runs no object cache and is therefore squarely in scope.
An object cache is not a fix and it is not a substitute for patching. It happens to block this specific path today. Patch anyway.
Condition 3: The batch REST endpoint is reachable
The chain enters through /wp-json/batch/v1. On a default install this is reachable by anonymous requests, which is exactly why this is pre-auth. If you have already locked down or disabled the REST API batch endpoint at the edge, or your WAF blocks it, the entry point is closed. Most sites have not done this, so for most sites this condition is simply true.
The SQL injection on its own (CVE-2026-60137, the 6.8.x exposure) is a narrower thing. Per NVD, it is exploitable only when a plugin or theme passes untrusted input into the author__not_in parameter of WP_Query. A bare 6.8 core does not hand an anonymous attacker that path by itself. It is still worth patching, but it is not the same anonymous-request-runs-code scenario as the full chain on 6.9+.
Check Your Own Site in Two Minutes
Do not guess which category you are in. Check.
# 1. What version are you actually running?
wp core version
# Or without wp-cli, read it from the source:
grep "wp_version =" wp-includes/version.php
If that shows 6.9.5, 7.0.2, or newer, you are patched. If it shows 6.9.0-6.9.4 or 7.0.0-7.0.1, keep going.
# 2. Do you have a persistent object cache? (Condition 2)
# The drop-in file is the tell:
ls -l wp-content/object-cache.php
# Or ask WordPress directly:
wp eval 'echo wp_using_ext_object_cache() ? "external object cache: RCE path blocked" : "no persistent object cache: exposed if unpatched";'
If object-cache.php exists and points at a working Redis or Memcached, the RCE path is not reachable on your site. If there is no such file, and you are on an affected version, treat yourself as exposed and patch now.
# 3. Confirm the batch endpoint is exposed (Condition 3)
curl -s -o /dev/null -w "%{http_code}\n" https://your-site.example/wp-json/batch/v1/
# A 200 or 4xx that is not 404 means the endpoint is live and reachable.
What To Do
Ordered by urgency.
- Update to 6.9.5, 7.0.2, or 6.8.6 for your branch. This is the only real fix.
wp core updateor the admin dashboard. On managed or version-locked hosting where auto-updates are blocked, this is a manual action you have to take, and those are exactly the sites most likely to still be exposed. - Verify the update actually landed with
wp core version. A dashboard that says "up to date" against a pinned version is not the same as being on the patched release. - If you cannot patch this hour, the interim mitigations are a persistent object cache (which blocks the RCE path, per Cloudflare) and a WAF rule on
/wp-json/batch/v1. Cloudflare, Wordfence, and others shipped rules within hours of disclosure. These buy time. They are not the fix. - After patching, assume nothing about the window before you did. A pre-auth RCE with a public proof of concept is the kind of bug where compromise can precede the patch. If your site was on an affected version, unpatched, without an object cache, and internet-facing during the exposure window, treat a post-patch integrity check as part of the response, not an optional extra: unexpected admin users, new files in
wp-content, modified core files (wp core verify-checksums), and unfamiliar scheduled tasks.
# Fast post-patch integrity check
wp core verify-checksums
wp user list --role=administrator --fields=user_login,user_email,user_registered
Exploitation Status, As Of Now
This is moving quickly, so treat any specific claim as a snapshot. As of July 18, 2026: no confirmed in-the-wild exploitation has been reported. The proof-of-concept situation is contested, some coverage says working exploit code is already on GitHub, while Rapid7 stated it had not seen a public PoC as of the 17th but assessed one as highly likely given the bug is in open-source code that anyone, or any model, can analyse.
The honest posture: for a pre-auth RCE in core WordPress, the gap between disclosure and mass exploitation is usually short. Whether or not a polished PoC is public at the moment you read this, assume one is imminent and let that set your urgency. The reason WordPress took the rare step of force-pushing the update is the same reason you should not wait for confirmation that it is being exploited before you act.
The Measured Version
wp2shell is a real, serious, pre-authentication RCE in WordPress core, and if you run an affected version without an object cache, it is as bad as it sounds. But "the entire WordPress web is on fire" is not what the facts say. Three conditions gate the RCE, WordPress force-pushed the fix through auto-updates, and a meaningful slice of professionally run sites are blocked by an object cache they already had. The sites genuinely at risk are the unpatched, un-cached, auto-update-disabled ones, which is to say the ones nobody is actively managing. If that is not you, verify it is not you, then move on. If it might be you, you have a two-minute check and a one-command fix.
If you run WordPress at any scale and want a fast read on which of your sites are on affected versions, which have an object cache in the path, and confirmation that the patch actually reached every install rather than the ones that auto-update cleanly, that is exactly what our WordPress and security and compliance work covers. For a companion case from the same week, a critical bug that had been hiding in nginx core for fifteen years, see our note on the nginx map regex overflow.
Sources
Talk to the engineer who will own your stack.
No account managers, no offshore handoff. Senior DevOps, direct. Tell us what you are dealing with and you get a straight answer.
Related News
nginx Patches Three CVEs, One a 9.2 Critical Bug That Sat Hidden in the Code Since 2011
nginx patched three CVEs on July 15, 2026: a 9.2-rated critical heap buffer overflow in map regex matching (CVE-2026-42533) present since 2011, an uninitialized-memory bug that unnamed regex captures trigger through either the slice directive or ordinary background cache updates (CVE-2026-60005), and a use-after-free in the SSI filter (CVE-2026-56434) present since 2009. Fixed in 1.30.4 stable and 1.31.3 mainline. With the config patterns to audit for, five read-only audit commands, and the detail most coverage gets wrong about the second bug.
SecurityA 16-Year-Old KVM Bug Called Januscape Lets a Guest VM Break Out to the Host on Intel and AMD
Januscape (CVE-2026-53359) is a 16-year-old use-after-free in the Linux KVM shadow MMU on both Intel and AMD, rated a guest-to-host escape by Canonical. The public proof of concept crashes the host from inside a guest, while full host takeover is claimed but not published. Upstream fixed it on July 4, but distro kernels are still pending. Here is who is exposed, the nested-virtualization mitigation, and what to do now.
SecurityA 15-Year-Old Linux Kernel Bug Called GhostLock Gives Any Local User Root and Escapes Containers
GhostLock (CVE-2026-43499) is a 15-year-old use-after-free in the Linux kernel rtmutex code that lets any logged-in user become root, and in the researchers' testing escape containers. It was quietly patched upstream in May, but Nebula Security has now published a working exploit, which changes the risk for anyone running shared or multi-tenant Linux. Here is who is actually exposed and what to do.