Critical RCE Vulnerability in WordPress Affects Over 500 Million Sites

Critical RCE Vulnerability in WordPress Affects Over 500 Million Sites

First seen 18 Jul 2026, 05:24 UTC Aikido.DevCybersecuritynews 76% similarity 74.3

Article Content

Browse articles
ThreatCluster

On July 17, 2026, a critical unauthenticated remote code execution (RCE) vulnerability, named 'wp2shell', was discovered in WordPress Core, affecting over 500 million websites. The flaw, reported by Adam Kues of Searchlight Cyber, arises from a REST API batch-route confusion that allows unauthenticated attackers to execute arbitrary code. WordPress has released an emergency patch (version 7.0.2) to address this vulnerability, and forced auto-updates have been enabled for affected sites. Versions below 6.9.0 are not vulnerable, but sites running version 6.8 are exposed to a separate SQL injection issue. Temporary mitigation measures include blocking access to specific REST API endpoints. Security professionals are urged to update their WordPress installations immediately to prevent potential exploitation.

Key Points: • A critical RCE vulnerability in WordPress affects over 500 million sites. • Emergency patch version 7.0.2 has been released to fix the flaw. • Temporary mitigations include blocking specific REST API endpoints.

ThreatCluster AI

Timeline

2026-07-17
Critical RCE vulnerability discovered
The 'wp2shell' flaw allows unauthenticated attackers to execute code on WordPress sites, affecting over 500 million installations.
Aikido.Dev
2026-07-17
Emergency patch released
WordPress released version 7.0.2 to fix the critical RCE vulnerability and enabled forced auto-updates for affected sites.
Aikido.Dev
2026-07-18
Security advisory issued
Security researchers emphasize the urgency of updating WordPress installations to mitigate the risk of exploitation.
Cybersecuritynews

Community

Browse all →