A critical vulnerability in WordPress core, allowing anonymous remote code execution (RCE), was patched by the content management system’s developers on July 17, 2026. The flaw, discovered by Adam Kues of Searchlight Cyber’s Attack Surface Management arm, means that potentially any WordPress site running on the vulnerable versions could have been compromised with a simple, unauthenticated HTTP request. WordPress has since pushed out automatic updates to mitigate the risk for most users.
The vulnerability affected WordPress versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. These versions are now superseded by 6.9.5 and 7.0.2, respectively, which contain the fix. WordPress utilized its auto-update system, terming it “forced updates,” to deploy the patches to a significant portion of its user base. However, site administrators are advised to verify their current WordPress version rather than assume the update has been applied if they have previously disabled automatic updates.
Addressing the WordPress Core RCE Vulnerability
The security report, published under the alias “wp2shell” on HackerOne, stated that the attack contained “no preconditions and can be exploited by an anonymous user.” This means that attackers did not need any prior access or special privileges to trigger the code execution. Searchlight Cyber has opted to withhold full technical details of the exploit for now, instead providing a checker tool on wp2shell.com for website owners to test their own WordPress installations.
WordPress’s own release notes describe the flaw as a “REST API batch-route confusion and SQL injection issue leading to Remote Code Execution.” This indicates a complex interaction within the REST API that attackers could leverage. While WordPress did not assign specific severity ratings to each flaw, it classified one as critical and the other as high. The company has not yet released CVE identifiers for either vulnerability, nor has a CVSS score been published, which may delay automated vulnerability scanning and identification.
The affected code is located within several core WordPress files, including `class-wp-rest-server.php`, `class-wp-query.php`, and `rest-api.php`. The batch endpoint, which appears to be the focal point of the vulnerability, has been part of WordPress since version 5.6, released in November 2020. The specifics of what changed in the 6.9 release to enable this exploit remain unclear from the initial advisories.
Mitigation Strategies for Unpatched Sites
For website owners unable to update their WordPress core immediately, Searchlight Cyber suggests several stopgap measures. These primarily focus on restricting access to the vulnerable batch endpoint. One method involves configuring a Web Application Firewall (WAF) to block requests to `/wp-json/batch/v1` and `rest_route=/batch/v1`. It is crucial to block both the path and the query string variations to effectively close the vulnerability.
Alternatively, administrators can disable the WordPress REST API entirely, which would prevent unauthenticated access to all REST API endpoints. A third option is to implement a small drop-in plugin that specifically intercepts and rejects anonymous requests directed at the `/batch/v1` endpoint at the `rest_pre_dispatch` action hook. These workarounds, however, carry the risk of breaking legitimate integrations that rely on these API functionalities.
As of July 18, 2026, no widespread exploitation attempts had been publicly reported. The lack of a CVE and public exploit signatures means that current attack detection methods may not be effective. However, given the historical trend of mass exploitation for WordPress vulnerabilities, it is anticipated that malicious actors will soon attempt to leverage this flaw.
The open-source nature of WordPress means that the patches and the underlying code are publicly accessible. This creates a window of opportunity for attackers to analyze the fix and develop exploits before all vulnerable sites have been updated. While WordPress has accelerated its patching process with forced updates, the race is now on to ensure that the majority of the estimated 500 million WordPress sites are updated before widespread, automated attacks begin. The speed at which WordPress pushed out the fix suggests a proactive effort to minimize the potential damage from this critical WordPress core vulnerability.

