July 17, 2026

wp2shell: Pre Authentication RCE in WordPress Core

Searchlight Cyber’s security research team has discovered a pre-authentication RCE in WordPress Core. The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.

It is estimated that over 500 million websites use WordPress.

Given the severity of the bug and to give defenders time to patch, we are not releasing technical details at this time. We are, however, releasing a website to determine if your instance is vulnerable. You can find it here: https://wp2shell.com/

 

Check if your site is impacted
wp2shell[.]com is a public tool developed by Searchlight Cyber

 

Affected WordPress versions

  • <= 6.8.5: not affected.
  • 6.9.0 - 6.9.4: affected.
  • 7.0.0 - 7.0.1: affected.

Mitigation

The best way to protect yourself is to update WordPress to version 7.0.2, or 6.9.5 if you are on the 6.9 branch. as soon as possible. If this isn’t possible, you can temporarily protect your instance by blocking anonymous access to the batch API, either by:

  • Installing a plugin that blocks anonymous access to the rest API entirely; or
  • Blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level.

Note that both these solutions may have an impact on legitimate use of the site and should only be considered emergency temporary measures until you can update.
 

About Searchlight Cyber

Customers of Searchlight Cyber’s ASM solution, Assetnote, are always first to receive checks for the novel vulnerabilities we discover – often weeks or months before public disclosure. Our Security Research Team continues to dig beyond public PoCs to deliver high-signal detections to our platform. Learn more.

in this article

Book your demo: Identify cyber
threats earlier– before they
impact your business

Searchlight Cyber is used by security professionals and leading investigators to surface criminal activity and protect businesses. Book your demo to find out how Searchlight can:

Enhance your security with advanced automated dark web monitoring and investigation tools

Continuously monitor for threats, including ransomware groups targeting your organization

Prevent costly cyber incidents and meet cybersecurity compliance requirements and regulations

Fill in the form to get you demo