A critical pre-authentication remote code execution vulnerability in WordPress core, dubbed wp2shell, allows an anonymous HTTP request to take over a site — even a bare installation with no plugins. The flaw affects WordPress versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. WordPress released emergency patches 6.9.5 and 7.0.2 on July 17, 2026, and pushed them via its forced auto-update system, but it remains unclear whether sites that disabled auto-updates received the fix.
Disclosure and impact
Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, discovered the vulnerability and reported it through WordPress's HackerOne program. The researcher's writeup states the attack has "no preconditions and can be exploited by an anonymous user." Searchlight has not yet released technical details, instead providing a checker at wp2shell.com for site owners to test their own instances.
WordPress's release notes describe the bug as "a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution." The batch endpoint has been part of WordPress since version 5.6 in November 2020, but something changed in 6.9 to make it exploitable. The patches touch three files: /wp-includes/rest-api/class-wp-rest-server.php, /wp-includes/class-wp-query.php, and /wp-includes/rest-api.php. Neither advisory includes a CVE ID or CVSS score, meaning CVE-keyed scanners and CISA's KEV catalog will not flag the issue.
Affected versions and mitigation
Only WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 are vulnerable. Since 6.9 shipped on December 2, 2025, all affected sites run code less than eight months old. While over 500 million websites run WordPress, the vulnerable subset is smaller but unknown. WordPress 7.1 beta2 includes the fix, and sites still on 6.8 have an unrelated SQL injection patch waiting.
For those unable to update immediately, Searchlight suggests three stopgap mitigations, all of which risk breaking legitimate integrations: block both /wp-json/batch/v1 and rest_route=/batch/v1 at a WAF, disable the WP REST API entirely, or use a drop-in plugin to reject anonymous /batch/v1 requests at rest_pre_dispatch.
No exploitation attempts have been reported as of July 18, but the absence of a CVE means no public signatures are being tracked. The window for defenders is narrow: WordPress core is open source, and comparing 7.0.1 and 7.0.2 reveals the fix — and thus the bug — to anyone who looks. Searchlight's own team, which turned a Drupal SQL injection patch into working proofs of concept in a single day in May, is betting that silence buys time. Whether the forced update reached enough sites before attackers reverse-engineer the patch will only be clear when traffic against batch/v1 spikes.