- July 17, 2026
"WP2Shell" Critical WordPress RCE Chain (CVE-2026-63030 & CVE-2026-60137)
On July 17th, WordPress disclosed two separate vulnerabilities which when chained together, could enable a remote unauthenticated attacker to achieve Remote Code Execution on default installations of the WordPress “core” product.
Executive Summary
On July 17th, WordPress disclosed two separate vulnerabilities which when chained together, could enable a remote unauthenticated attacker to achieve Remote Code Execution on default installations of the WordPress “core” product. The vulnerabilities include CVE-2026-63030, a flaw in the REST API which can be paired with a SQL Injection vulnerability, CVE-2026-60137 in order to achieve Remote Code Execution.
The vulnerability was discovered by a researcher at Searchlight, and Beazley Security is not aware of any in the wild exploitation of this vulnerability at the time of writing. Additionally, there are currentlyno publicly available proof-of-concept exploits available, and Searchlight did not provide enough technical details to easily create one. WordPress made patches available before public disclosure, and Cloudflare simultaneously released Web Application Firewall (WAF) protections for sites behind its service.
Given the widespread use of WordPress, the presence of the vulnerability in the core software, and the apparent ease of exploitation, Beazley Security expects threat actors to reverse engineer patchesand attempt to exploit WordPress installations at scale. Beazley Security strongly recommends organizations apply available patches immediately, or deploy mitigations such as WAF rules.
Affected Systems or Products
Product | Affected Version | Fixed Version |
WordPress 6 | 6.9.0 – 6.9.4 | 6.9.5 |
WordPress 7 | 7.0.0 – 7.0.1 | 7.0.2 |
Versions before 6.9.0 are not affected.
Mitigations / Workarounds
If security update patches cannot be immediately applied, the following recommended mitigations were provided for this specific vulnerability:
Block anonymous access to the rest API, this can be achieved with plugins like Disable WP REST API, which are available on the official WordPress Plugin Directory.
Block traffic to the web endpoints
/wp-json/batch/v1and?rest_route=/batch/v1via a Web Application Firewall (WAF).Cloudflare has deployed new WAF rules to protect all customers, including those on free and paid plans, if their application traffic is proxied through the Cloudflare WAF. The rules were reportedly deployed at 17:03 UTC on July 17, 2026.
Patches
Patches were already released at the time of advisory and can be found on the WordPress site and their GitHub repository.
Technical Details
At the time of publication, WordPress provided limited technical information about the critical vulnerabilities in its security release. However, Cloudflare published a concurrent advisory announcing new Web Application Firewall (WAF) protections for both critical vulnerabilities and additional technical analysis.
According to Cloudflare, CVE-2026-60137 is a SQL injection vulnerability affecting WordPress 6.8 and later, while CVE-2026-63030 is an unauthenticated remote code execution vulnerability affecting WordPress 6.9 and later. The RCE vulnerability is directly related to the SQL injection flaw and can be exploited through the REST API batch endpoint when a persistent object cache is not enabled.
The root cause lies in a route confusion condition within the REST API Batch Endpoint that causes attacker-controlled input to be misrouted or interpreted incorrectly. This allows crafted requests to reach unintended code paths, ultimately triggering the SQL injection vulnerability and providing a path to remote code execution.
Beazley Security recommends organizations upgrade to the latest supported version of WordPress as soon as possible, prioritizing patching of internet facing instances of the software. Organizations leveraging Cloudflare should ensure the latest managed WAF rules are enabled.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.