Critical WordPress 7.0.2 Update Patches wp2shell Remote Code Execution Flaw
According to Rapid7's analysis of GitHub Security Advisory CVE-2026-63030, WordPress Core shipped an emergency fix on July 17, 2026 for an unauthenticated remote code execution chain dubbed…

According to Rapid7's analysis of GitHub Security Advisory CVE-2026-63030, WordPress Core shipped an emergency fix on July 17, 2026 for an unauthenticated remote code execution chain dubbed "wp2shell" that compromises default installations without any plugins or user interaction. The bug chains REST API batch-route confusion with a core SQL injection, and per Cloudflare's observations the vulnerable code path is reachable whenever a persistent object cache is not in use. For WordPress operators this is a patch-now event: the vulnerable branches are 6.9.0–6.9.4 and 7.0.0–7.0.1, with fixes in 6.9.5, 7.0.2, and 7.1 Beta 2.
What the advisory establishes
The official GitHub Security Advisory was published on July 17, 2026 and classifies the flaw as Critical, though the currently assigned CVSS score sits at 7.5. Searchlight Cyber identified the vulnerability; per Rapid7, technical exploit details had not been made public as of 5:45 PM Eastern on the day of disclosure. Rapid7 Labs nonetheless expects a public PoC shortly, reasoning that WordPress Core is open-source and current AI models can analyze the relevant code path without much friction. No publicly confirmed in-the-wild exploitation was reported at publication time, but the unauthenticated attack surface makes that gap a poor proxy for actual risk.
Versions, fixes, and the upgrade matrix
Affected installations: WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. Patched targets: 6.9.5, 7.0.2, and 7.1 Beta 2; a backport to 6.8.6 was also published. WordPress maintainers are forcing updates on installations running with auto-updates enabled, but that only covers sites where the auto-update mechanism itself is healthy. Workarounds are not recommended at this time — the only effective remediation is the WordPress-provided upgrade.
Diagnostic steps and post-patch baseline
1. Confirm the running version. From the WP-CLI host: wp core version. Expected on a patched site: 6.9.5, 7.0.2, 6.8.6 (backport branch), or 7.1 Beta 2.
2. Verify auto-update execution. Inspect wp_options for auto_update_core and review the core update log for a successful 6.9.5 / 7.0.2 transition timestamp.
3. Check object-cache configuration. If wp-content/object-cache.php is absent or Redis/Memcached is not running behind the site, Cloudflare's note applies: the vulnerable REST API batch code path is reachable.
4. Run a safe external check. Hadrian.io published a public detection tool at wp2shell.com for unauthenticated probing without payload delivery.
5. Scan logs for pre-patch indicators. Grep access logs for anomalous POST traffic to /wp-json/batch/v1 or repeated 4xx/5xx patterns on REST endpoints during the disclosure window.
Post-patch baseline we verify before closing the incident:
wp core versionresolves to a fixed build string.- No leftover cron entries tied to the prior core build.
wp-includes/rest-api.phpmtime matches the post-upgrade filesystem snapshot.- REST API
batch/v1route responds with the patched handler signature. - WAF rule, if present, treats the
batchroute consistently with the new code path, not the old one.
Any failure on the first check triggers a forced manual upgrade.