A critical pre-authentication remote code execution vulnerability in WordPress core, codenamed wp2shell, lets anonymous attackers take over any site running versions 6.9.0 through 7.0.1 with zero plugins required. WordPress shipped emergency patches on July 17, but the hole was open for over seven months and no CVE has been assigned yet.
Adam Kues at Searchlight Cyber discovered the flaw and reported it through WordPress's HackerOne program. The writeup, published under the name wp2shell, states plainly that the attack has "no preconditions and can be exploited by an anonymous user" against a stock WordPress install with no plugins enabled. The bug lives in core, not a third-party extension, making every WordPress site on vulnerable versions a potential target regardless of its security posture.
WordPress powers an estimated 500 million websites globally. While not all of those run a vulnerable version, the affected range spans every release since December 2, 2025, when WordPress 6.9 shipped. That means hundreds of millions of sites have been running exploitable code for over seven months.
The wp2shell Vulnerability: What We Know
WordPress's release post describes Kues's finding as "a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution." The batch endpoint, which has shipped since WordPress 5.6 in November 2020, processes multiple REST API requests in a single HTTP call. What changed in 6.9 to make it exploitable remains undisclosed by both the researcher and the WordPress core team.
Searchlight Cyber is deliberately withholding technical details to give defenders time to patch. The firm published a checker at wp2shell.com where site owners can test their own instances, but has not released a proof of concept. This is the same firm that, in May 2026, turned a public Drupal core SQL injection patch into a working exploit within 24 hours. The irony is not lost on the security community: the team that can weaponize someone else's fix in a day is now asking the industry to trust its restraint with its own discovery.
The patch touches three files: /wp-includes/rest-api/class-wp-rest-server.php, /wp-includes/class-wp-query.php, and /wp-includes/rest-api.php. Anyone with access to the open source repository can diff 7.0.1 against 7.0.2 to reverse-engineer the exact exploit path. That is the fundamental tension of open source security: you cannot ship a fix without shipping a map to the bug.
Why This Is Different From Every Other WordPress Bug
WordPress is no stranger to critical vulnerabilities. The platform has endured SQL injections, XSS flaws, and authentication bypasses across its two-decade history. But this one is different for three reasons.
First, the attack requires zero authentication against a default installation. No plugins, no themes, no special configuration. A bare WordPress instance running out of the box is exploitable by anyone who can reach the /wp-json/batch/v1 endpoint. For context, the wp-shellstorm crew exploited a single caching plugin flaw to compromise over 17,000 sites before that bug was even fully understood. That required a non-default plugin. This requires nothing.
Second, the vulnerability combines two attack classes: SQL injection and REST API route confusion. This is not a simple memory corruption bug or a garden-variety SQLi. The batch endpoint's complexity creates an attack surface that is difficult to scan for automatically, which means defenders cannot rely on signature-based detection to tell them if they have been compromised.
Third, the response has been fragmented. WordPress shipped 6.9.5 and 7.0.2 on July 17 and enabled what it calls "forced updates" through its auto-update system. But the forced push was not universally tested, and WordPress has not confirmed whether it reaches sites that have turned auto-updates off. The company is also running its 7.1 beta program concurrently, and beta2 carries the same fix, creating potential confusion about which branch should receive patching priority.
The CVE Gap: What Gets Tracked and What Does Not
Neither the WordPress advisory nor Searchlight Cyber's disclosure carries a CVE ID or a CVSS score. As of July 18, no CVE record had appeared in any public database. This creates a dangerous blind spot for enterprise security teams and automated patch management systems.
CISA requires a CVE before it can add anything to the Known Exploited Vulnerabilities catalog. CVE-keyed vulnerability scanners will not flag this issue. The only identifier available is the WordPress version number itself, which means organizations must manually verify that every WordPress instance has been updated to 6.9.5 or 7.0.2. For companies running dozens or hundreds of WordPress sites, that is a significant operational burden that will inevitably leave some instances unpatched.
The absence of a CVE also affects the broader security ecosystem. Threat intelligence feeds, SIEM correlation rules, and managed detection and response services all rely on CVE IDs to trigger alerts and playbooks. Without one, this vulnerability exists in a tracking blind spot that malicious actors are well positioned to exploit.
No exploitation attempts have been publicly reported as of July 18. But the mass exploitation of WordPress is a mature criminal industry with established tooling, communication channels, and monetization pipelines. The clock started ticking the moment the patch was published.
What Founders and Site Owners Need To Do Right Now
If you run a WordPress site, update to 6.9.5 or 7.0.2 immediately. Do not rely on the forced auto-update mechanism to have already done the work. Check your actual installed version by visiting /wp-admin/ in your browser or running wp core version from the command line. If you are on 6.9.0 through 6.9.4 or 7.0.0 through 7.0.1, you are vulnerable and should treat the site as compromised until proven otherwise.
For sites that cannot update immediately, Searchlight Cyber recommends three mitigation options, all of which are stopgaps that may break legitimate functionality. Block /wp-json/batch/v1 and rest_route=/batch/v1 at your WAF or load balancer. Both paths must be blocked because the query-string variant bypasses URL-path-only rules. Alternatively, install the Disable WP REST API plugin to kill unauthenticated REST access entirely. Or deploy a custom plugin that hooks rest_pre_dispatch to reject anonymous batch requests.
For founders running multiple WordPress properties, this is the moment to audit your entire inventory. Map every WordPress instance, verify its version, and establish a patching cadence that does not depend on auto-updates alone. The next critical vulnerability will not necessarily come with a CVE, a blog post, or a Hacker News discussion. The baseline assumption should be that undisclosed flaws exist in every major open source dependency your business relies on.
After patching, audit your server logs for suspicious requests to /wp-json/batch/v1 or any REST endpoint patterns that predate July 17. Check for unexpected admin accounts, unfamiliar files in wp-content/uploads, and outbound connections to unknown IP addresses. Treat the absence of visible compromise as luck, not evidence of security. The difference between a patched site and a backdoored one is often just a missing log line.

