Critical WordPress Core RCE & SQLi Flaws: Secure Your Site Now

Two Massive Vulnerabilities Rock WordPress Core
The WordPress security community is on high alert following the discovery of two highly critical vulnerabilities affecting WordPress Core versions up to 7.0.1. With over 500 million websites relying on WordPress, the discovery of a Pre-Authentication Remote Code Execution (RCE) and an Unauthenticated SQL Injection means that administrators need to act immediately.
Here is a breakdown of what you need to know, how these exploits work, and how to secure your site.
1. WP2Shell: Pre-Authentication RCE via REST API (CVE-2026-63030)
Discovered by security researcher Adam Kues from Searchlight Cyber, this vulnerability carries a critical CVSS score of 9.8. Dubbed “wp2shell,” this attack exploits a route confusion bug in the REST API Batch Request.
- The Threat: It has absolutely zero preconditions. An anonymous user can exploit a stock, default installation of WordPress (even with no plugins active) to execute arbitrary code on the server.
- Affected Versions: 6.9.0 through 6.9.4, and 7.0.0 through 7.0.1.
- Patched Versions: 6.9.5 and 7.0.2.
2. Unauthenticated SQL Injection via author__not_in (CVE-2026-60137)
Running concurrently with the RCE is a severe SQL Injection vulnerability (CVSS 7.5). This flaw was uncovered by a collaborative effort from security researchers Tin Pham (TF1T), Trong Pham (dtro), and haongo. Due to insufficient escaping on the user-supplied author__not_in parameter and a lack of sufficient preparation on the existing SQL query, unauthenticated attackers can append dangerous SQL strings.
- The Threat: Attackers can bypass authentication to extract sensitive data directly from your database.
- Affected Versions: 6.8 through 6.8.5, 6.9 through 6.9.4, and 7.0 through 7.0.1.
- Patched Versions: 6.8.6, 6.9.5, and 7.0.2.
How to Mitigate the Threats Immediately
The absolute best course of action is to update WordPress core immediately to version 7.0.2 or 6.9.5 (depending on your current core branch). Fortunately, WordPress has enabled forced automatic background updates for these critical security releases, but you should manually verify that your site has successfully updated.
If you are unable to update right this second or need to secure a legacy environment, you must apply temporary emergency measures for both vulnerabilities.
Mitigating the WP2Shell RCE (CVE-2026-63030)
Adam Kues from Searchlight Cyber recommends the following emergency workarounds to block the route confusion attack:
- Utilize a WAF: Configure your Web Application Firewall to block the path
/wp-json/batch/v1and the query parameterrest_route=/batch/v1. - Disable the REST API: Install the Disable WP REST API plugin to stop unauthenticated users from pinging the API. (Note: this carries a low risk of breaking existing site functionality).
- Apply a Custom Patch: Drop the following code into a file named
disable-batch-api-for-unauth.phpinside yourwp-content/plugins/directory and activate it:
<?php
/**
* Plugin Name: Disable Unauthenticated REST Batch API
* Description: Requires an authenticated WordPress user for REST batch requests.
* Version: 1.0.0
* Requires at least: 5.6
* License: GPL-2.0-or-later
*/
defined( 'ABSPATH' ) || exit;
function wporg_require_authentication_for_rest_batch( $result, $server, $request ) {
if ( '/batch/v1' !== strtolower( untrailingslashit( $request->get_route() ) ) || is_user_logged_in() ) {
return $result;
}
return new WP_Error(
'rest_batch_authentication_required',
'Authentication is required to use the batch API.',
array( 'status' => 401 )
);
}
add_filter( 'rest_pre_dispatch', 'wporg_require_authentication_for_rest_batch', -1000, 3 );
Mitigating the SQL Injection (CVE-2026-60137)
Because the SQL injection targets the internal WP_Query class via the author__not_in parameter, stopping it requires handling how parameters are passed into the query parser. If you are on an older, unpatched environment (such as the 6.8 branch, which isn’t hit by WP2Shell but is highly vulnerable to this SQLi), blocking the REST API alone will not stop an attacker who finds another way to pass query arguments.
To safely neutralize this payload, you can enforce strict type casting. Drop the following custom hotfix into a file named cve-2026-60137-hotfix.php inside your wp-content/mu-plugins/ directory (Must-Use Plugins) to aggressively sanitize the parameter down to safe integers before the database executes it:
<?php
/**
* Plugin Name: CVE-2026-60137 Emergency Hotfix
* Description: Mitigate CVE-2026-60137 by normalizing and sanitizing the author__not_in parameter.
* Version: 1.0.0
* License: GPL-2.0-or-later
*/
defined( 'ABSPATH' ) || exit;
add_action( 'pre_get_posts', function ( WP_Query $query ) {
$authors = $query->get( 'author__not_in' );
// Nothing to sanitize.
if ( empty( $authors ) ) {
return;
}
// Normalize to an array.
if ( ! is_array( $authors ) ) {
$authors = explode( ',', (string) $authors );
}
// Keep only positive integer IDs.
$authors = array_values(
array_filter(
array_unique(
array_map( 'absint', $authors )
)
)
);
$query->set( 'author__not_in', $authors );
}, 9999 );
WAF Rules for author__not_in: In addition to the PHP fix above, you can implement Web Application Firewall (WAF) rules to detect and block anomalous non-numeric strings attempting to leverage the author__not_in parameter. Under normal operation, this parameter should only contain commas and integers.
How Evolge Technologies Keeps You Safe
Security isn’t a passive task, it requires constant vigilance. At Evolge Technologies, our developers keep an eagle eye out for every new security vulnerability. We make sure that before attackers can even attempt to sneak into your site, we’ve already updated your system with the patched version and kicked their a$$.
This aggressive, proactive approach to security is driven by in-house experts like Hardik Patel/Lakkad. Alongside his development work, he is an active security researcher who hunts for bugs in the WordPress ecosystem. He has discovered and submitted multiple plugin vulnerabilities that have been officially approved by Wordfence, you can view his verified track record on his Wordfence researcher profile (bhayanak-atma).
Don’t wait for your site to become a statistic. Update your WordPress core today, and partner with our developers who take your security as seriously as you do.


