On July 17, 2026, WordPress shipped emergency updates (6.9.5, 7.0.2) to fix wp2shell, a critical unauthenticated remote code execution chain in core.

Create a landscape editorial hero image for this Studio Global article: Search & fact-check with cited sources for What critical WordPress vulnerability was patched in emergency updates on July 17, 2026, what are. Article summary: Here is the full fact-checked breakdown.. Topic tags: general, government, general web, user generated. Style: premium digital editorial illustration, source-backed research mood, clean composition, high detail, modern web publication hero. Use reference image context only for broad subject, composition, and topical grounding; do not copy the exact image. Avoid: logos, brand marks, copyrighted characters, real person likenesses, fake screenshots, UI text, readable text, watermarks, charts with fake numbers, clickbait thumbnails, icons, and tiny thumbnail layouts. Make it useful as an illustrative visual, not as factual evidence.
On July 17, 2026, WordPress released emergency security updates to patch a critical vulnerability chain called wp2shell — an unauthenticated remote code execution (RCE) flaw in WordPress core. Unlike most WordPress vulnerabilities, which live in third-party plugins or themes, wp2shell is a core issue that works against a default installation with no plugins. This article provides the identifiers, affected versions, technical mechanics, mitigation steps, and explains why the open-source nature of WordPress created a uniquely dangerous situation even before any exploitation was confirmed.
WordPress versions 6.9.5 and 7.0.2 were released on July 17, 2026 to fix the wp2shell vulnerability chain. The flaw was discovered and responsibly disclosed by Adam Kues of Assetnote, part of Searchlight Cyber . Due to the severity, the WordPress team enabled forced automatic updates for all affected sites
.
The wp2shell attack is a two-vulnerability chain :
author__not_in parameter of WP_Query. Rated high severity The wp2shell attack chains two bugs :
CVE-2026-60137 is an unauthenticated SQL injection. By sending crafted HTTP requests to the author__not_in parameter, an attacker can inject malicious SQL into the WordPress database without any login credentials.
CVE-2026-63030 is a route confusion flaw in the REST API batch endpoint (/wp-json/batch/v1). This endpoint processes multiple sub-requests in a single call. A parsing quirk causes two internal arrays to go out of step, allowing an attacker to bypass route restrictions and chain internal API calls that would normally be disallowed .
When combined, an attacker uses the batch endpoint to make nested requests that abuse the SQL injection. This escalates to full remote code execution by:
INTO OUTFILEThe attack requires no authentication, no plugins, and works on a default WordPress installation . As of July 18, 2026, a public proof-of-concept checker was released at wp2shell.com, and a working PoC exploit is circulating
.
One important nuance: a persistent object cache (such as Redis or Memcached) may partially mitigate or change the exploit path, but it does not eliminate the underlying vulnerability .
wp-includes/version.php.wp-content/uploads/, unfamiliar admin users, or unusual database entries. Although no mass exploitation has been confirmed, the public PoC means scanning has likely started.FILE privilege (which enables INTO OUTFILEEven with no confirmed exploitation in the wild, the open-source model introduced a distinctive, acute risk for wp2shell:
In short, the open-source model means the patch itself becomes the detailed disclosure document, and the massive, variable-quality install base guarantees a long tail of vulnerable targets — creating a high-risk period even before any "official" exploitation is observed.
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
On July 17, 2026, WordPress shipped emergency updates (6.9.5, 7.0.2) to fix wp2shell, a critical unauthenticated remote code execution chain in core.