Critical wp2shell WordPress Core Flaw Disclosed, Allowing Unauthenticated Remote Code Execution
A significant vulnerability, dubbed 'wp2shell', in WordPress core (versions 6.9 and 7.0) has been fully disclosed, enabling unauthenticated attackers to achieve remote code execution. The flaw, comprising a REST API batch-route confusion (CVE-2026-63030) and a SQL injection (CVE-2026-60137), now has a public proof-of-concept, necessitating immediate patching for all WordPress site administrators.
Want more?
Open NewsSnap.ai for the full app experience, including audio, personalization, and more news tools.