WordPress patches critical unauthenticated RCE chain in versions 6.8 through 7.0.1
WordPress released version 7.0.2 on July 17, 2026, to fix a two-vulnerability chain dubbed WP2Shell, comprising a SQL injection flaw (CVE-2026-60137) in WP_Query and a REST API batch route confusion bug (CVE-2026-63030). When chained, the two flaws allow a remote attacker without any WordPress credentials to achieve full code execution on default installations, with no plugins required. The route confusion vulnerability, introduced in WordPress 6.9, bypasses authentication boundaries that would otherwise block the SQL injection, and the full RCE path is most accessible on sites without a persistent object cache such as Redis or Memcached. Within two days of disclosure, a working proof-of-concept became publicly available and early in-the-wild exploitation attempts were reported by Patchstack. All site owners running WordPress 6.8 through 7.0.1 are urged to update immediately to the patched releases 6.8.6, 6.9.5, or 7.0.2.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in