HomeCyber BalkansCritical WordPress Core Vulnerability Enables Remote Code Execution by Anonymous Hackers

Critical WordPress Core Vulnerability Enables Remote Code Execution by Anonymous Hackers

Published on

spot_img

Major Security Flaw Discovered in WordPress Core—"wp2shell"

A newly unveiled pre-authentication remote code execution (RCE) vulnerability in WordPress Core, referred to as “wp2shell,” has raised alarms in the cybersecurity community. Notably, this flaw requires no prior authentication, making it particularly dangerous, as it affects standard WordPress installations with no plugins installed. Given that WordPress is the backbone of an estimated 500 million websites worldwide, the implications are extensive.

This vulnerability marks one of the most critical security disclosures for content management systems (CMS) in the recent past. The issue arises from a combination of REST API batch-route confusion and an SQL injection flaw. Together, these weaknesses enable unauthorized individuals to execute arbitrary code remotely, posing significant risks to affected sites.

Identification and Reporting of the Vulnerability

The vulnerability was identified by researcher Adam Kues from Assetnote, who promptly reported it to the relevant authorities. The flaw has been assigned the identifier CVE-2026-63030 (GHSA-ff9f-jf42-662q) to track its impact and mitigation. Additionally, a related SQL injection vulnerability, reported by collaborators TF1T, dtro, and haongo, has been designated CVE-2026-60137 (GHSA-fpp7-x2x2-2mjf).

The critical aspect of this vulnerability is that its exploitation does not require any precondition or valid credentials. This means that an anonymous attacker can easily compromise a vulnerable WordPress site without needing any special authorization, amplifying the risk considerably.

The Response from Security Experts

In light of the severity of the situation, Searchlight Cyber has decided to withhold the technical details involved in the exploitation. The intention behind this decision is to provide site owners with adequate time to apply necessary patches before the details become public knowledge. However, they have released a public scanner available at wp2shell[.]com. This tool allows administrators to assess their sites for vulnerabilities without requiring extensive technical expertise.

Affected Versions of WordPress

The impact of this vulnerability varies across different versions of WordPress:

  • WordPress ≤6.8.5: Not affected by the RCE chain, but affected only by CVE-2026-60137.
  • WordPress 6.9.0–6.9.4: Affected by both vulnerabilities.
  • WordPress 7.0.0–7.0.1: Affected by both vulnerabilities.
  • WordPress 7.1 beta releases: Affected, with fixes present in 7.1 beta2.

The identification of these affected versions indicates a significant portion of the WordPress ecosystem is vulnerable, making immediate action crucial.

Patches and Mitigation Strategies

The WordPress security team has proactively responded by releasing version 7.0.2, which addresses one critical issue and another of high severity. Backport releases have also been made available, including versions 6.9.5 and 6.8.6. Due to the critical nature of the remote code execution vulnerability, WordPress has enabled forced auto-updates for sites running susceptible versions. However, site administrators are advised to verify these updates manually to ensure the integrity of their websites.

To update, site owners can navigate to the WordPress Dashboard and select "Updates" followed by "Update Now," or they can download the release directly from WordPress.org.

For those environments where immediate patching may not be an option, Searchlight Cyber recommends implementing temporary mitigation strategies:

  • Install a plugin that blocks anonymous access to the REST API entirely.
  • Block the paths /wp-json/batch/v1 and ?rest_route=/batch/v1 at the WAF level.

These emergency measures may disrupt legitimate REST API functionality and should serve only as stopgap solutions until a comprehensive update can be executed.

The Potential for Widespread Exploitation

Given the massive installed base of WordPress, the wp2shell vulnerability poses a significant threat for potential widespread automated exploitation. The concern heightens as technical details regarding the flaw and its exploitation could soon be made public, either through further disclosures or reverse-engineering of patch differences.

In conclusion, security teams and site administrators are strongly urged to act without delay. They should prioritize updates, verify the status of patches using the wp2shell[.]com tool, and closely monitor logs for suspicious REST API batch requests targeting /wp-json/batch/v1. By taking these precautions, site owners can help mitigate the potential risks associated with this critical vulnerability.

Source link

Latest articles

1Password Integrates with Claude AI for Enhanced Secure Authentication

1Password Integrates with Anthropic's Claude AI: Enhancing Secure Authentication In a significant advancement in digital...

Q&A: Cyber Returns to the CSIDES

In the vibrant seaside town of Weston-super-Mare, CSIDES is set to return for its...

San Francisco Calls on Apple and Google to Remove AI Nudify Apps

San Francisco Takes Action Against AI "Nudify" Apps Targeting Vulnerable Individuals In a decisive move...

China’s Kimi K3 Drives Chip Stocks into Bear Market

Open-Weight Model Reopens Debate Over US...

More like this

1Password Integrates with Claude AI for Enhanced Secure Authentication

1Password Integrates with Anthropic's Claude AI: Enhancing Secure Authentication In a significant advancement in digital...

Q&A: Cyber Returns to the CSIDES

In the vibrant seaside town of Weston-super-Mare, CSIDES is set to return for its...

San Francisco Calls on Apple and Google to Remove AI Nudify Apps

San Francisco Takes Action Against AI "Nudify" Apps Targeting Vulnerable Individuals In a decisive move...