Go back

WP2Shell Vulnerabilities: CVE-2026-60137 and CVE-2026-63030

Landon RiceCaitlin Condon
  • A new version of WordPress core was released on Friday, July 17 with fixes for two high-profile vulnerabilities that, when exploited together, allow for remote code execution on standard WordPress installations.
  • The vulnerabilities have been assigned CVE-2026-60137 (critical SQL injection) and CVE-2026-63030 (high-severity REST API batch endpoint route confusion).
  • Not all versions of WordPress are vulnerable, but the CMS’s global popularity means any new vulnerability has a large built-in target population. While there was no exploitation at time of disclosure, early reports of in-the-wild activity have since begun to emerge.

On Friday, July 17, 2026 the WordPress team released version 7.0.2 of the popular CMS to address two vulnerabilities — one critical-severity and one high-severity — that when exploited together allow for remote code execution in out-of-the-box WordPress installations (no plugins needed). Public details on the vulnerabilities themselves are lacking so far, ostensibly to prevent exploitation. Searchlight Cyber, whose research team is credited for discovery of CVE-2026-63030, nicknamed the vulnerability “WP2Shell” in a companion advisory.

While there wasn’t any reported exploitation in the wild at time of disclosure, we can be certain that both adversaries and researchers the world over have begun the process of reversing patches and developing exploits. Security firm PatchStack is reporting exploitation of CVE-2026-63030 as of shortly before 7 PM ET on Friday, July 17, though it’s unclear what exactly is being observed in the wild. Popular ASM engines, including Censys and Shodan, find tens of millions of WordPress installations on the public internet.

VulnCheck Research Observations

VulnCheck’s research team began investigating the WordPress patches upon their release earlier today. Our exploit development team’s initial assessment is that based on the advisory and public fix commits, CVE-2026-60137 (SQLi) is reachable on its own only by an authenticated user. When chained with CVE-2026-63030, however, the secondary vulnerability bypasses the blocklist that restricts the CVE-2026-60137 SQL injection to authenticated users only, and therefore makes the entire chain unauthenticated.

Our team’s early research hasn’t identified a straight-shot path to RCE, but instead relies on CVE-2026-63030 (batch-route confusion that functions as an “auth bypass”, for lack of a better term) to unblock the unauth SQL injection and then dump the target database to steal and crack an admin user’s password. After logging in as an admin user, the adversary is able to upload a webshell or conduct any other manner of nefarious activity. Notably, depending on the WordPress plugins installed, initial access could lead to any number of RCE paths via third-party extensions.

Vulnerability Information

CVEVulnerabilityAffectsFixed In
CVE-2026-60137Facilitated SQL injection in author__not_in parameter of WP_Query6.8.0 - 6.8.5, 6.9.0 - 6.9.4, 7.0.0 - 7.0.16.8.6, 6.9.5, 7.0.2
CVE-2026-63030REST API batch endpoint route confusion and SQLi6.9.0 - 6.9.4, 7.0.0 - 7.0.16.9.5, 7.0.2

The WordPress team’s advisory notes that affected versions vary across each specific vulnerability, which is also captured in the table above. From the WordPress advisory:

  • WordPress 6.9 is affected by both vulnerabilities. Version 6.9.5 has been released containing fixes for both.
  • WordPress 6.8 is only affected by the first vulnerability. Version 6.8.6 has been released containing a fix.
  • The beta release of WordPress 7.1 is affected by both vulnerabilities. Version 7.1 beta2 has been released containing fixes for both.
  • Versions of WordPress prior to 6.8 are not affected.

Affected users should update to a fixed version of WordPress as soon as possible, given the overwhelming likelihood that various public exploits and large-scale exploitation will follow the high-profile disclosure.

About VulnCheck

VulnCheck empowers organizations to transcend the challenges of vulnerability prioritization. Our suite of solutions provides product managers, PSIRT teams, and threat hunters with the tools required for accelerated, high-precision operations and infinite efficiency.

Recognizing the industry-wide necessity for superior data velocity and accuracy, we deliver high-fidelity insights to the market. We remain committed to surfacing critical intelligence on vulnerability exploitation and emerging trends, leveraging our unique dataset to support the practitioner community.

For more research like this, see Finding the Routers Energetic Bear Is Looking For, Monsta FTP: An SSRF Blocklist That Forgot IPv6 Exists, and Copy Fail and Its Descendants: A Real Human's Guide to Kernel Page-Cache LPEs.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.
  • Vulnerability Prioritization
    Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
  • Early Warning System
    Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.