A core vulnerability in WordPress allows unauthenticated attackers to run code on sites using versions 6.9.0 to 6.9.4 and 7.0.0 to 7.0.1. The issue was addressed in updates released on July 17, 2026, impacting potentially over 500 million websites.
WordPress has identified a critical core flaw, dubbed wp2shell, that enables unauthenticated attackers to execute arbitrary code on affected sites. This issue affects default installations of WordPress, requiring no plugins to exploit.
The vulnerability impacts WordPress versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. On July 17, 2026, WordPress released updates 6.9.5 and 7.0.2 to address this issue. Both versions were delivered as forced updates through WordPress's auto-update system, although it is unclear if sites with auto-updates disabled received the patches.
Found by Adam Kues from Searchlight Cyber, the vulnerability is classified as a REST API batch-route confusion and SQL injection issue, leading to remote code execution. The batch endpoint at the core of this flaw has been part of WordPress since version 5.6.
Approximately 500 million sites run WordPress, but the vulnerable code exists solely in versions 6.9 and later, which were released in late 2025. This makes the issue especially concerning, given the relatively short time since it was introduced.
✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors — check the original sources. How BrevFeed works →
A core vulnerability in WordPress allows unauthenticated attackers to run code on sites using versions 6.9.0 to 6.9.4 and 7.0.0 to 7.0.1. The issue was addressed in updates released on July 17, 2026, impacting potentially over 500 million websites.