The WordPress ecosystem is facing a severe security crisis due to a critical vulnerability chain dubbed wp2shell. This flaw allows unauthenticated attackers to achieve remote code execution (RCE) on default installations, even those without any plugins installed. With an estimated 500 million+ websites at risk, the vulnerability represents a systemic threat to the web's most popular CMS.
The Attack Vector and Vulnerability Chain
The exploit is not a single bug but a chain of two separate vulnerabilities, identified as CVE-2026-63030 and CVE-2026-60137. According to Beazley Security, this combination enables an anonymous request to trigger malicious code execution on the server. Technical analysis from Aikido confirms that the flaw is rooted in a SQL injection.
The vulnerability was discovered by Adam Kues of Searchlight Cyber and responsibly disclosed to the WordPress Security Team. While technical details were initially withheld to allow administrators time to patch, proof-of-concept (PoC) exploits are already circulating and early signs of real-world exploitation have been detected.
Affected Versions and Remediation
The flaw affects WordPress versions 6.9 through 7.0.1. In response, the project has released emergency security updates: versions 7.0.2, 6.9.5, and 6.8.6. To mitigate the risk, WordPress has enabled forced automatic updates across all affected branches.
Site owners are urged to verify their current version immediately. Tools such as 2shell.com have been deployed to help administrators quickly determine if their instance is vulnerable.
Broader Security Implications
The wp2shell incident highlights the persistent danger of vulnerabilities in widely used core software. As AI-driven tools like VulnHunter attempt to automate bug hunting, the emergence of critical zero-days — similar to the HiveLegacy exploit on Windows — proves that the attack surface remains vast. For platforms powering a significant portion of the internet, pre-authentication RCEs are the highest possible risk level.
