Aikido.Dev
Critical RCE Vulnerability in WordPress Affects Over 500 Million Sites
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
On July 17, 2026, a critical unauthenticated remote code execution (RCE) vulnerability, named 'wp2shell', was discovered in WordPress Core, affecting over 500 million websites. The flaw, reported by Adam Kues of Searchlight Cyber, arises from a REST API batch-route confusion that allows unauthenticated attackers to execute arbitrary code. WordPress has released an emergency patch (version 7.0.2) to address this vulnerability, and forced auto-updates have been enabled for affected sites. Versions below 6.9.0 are not vulnerable, but sites running version 6.8 are exposed to a separate SQL injection issue. Temporary mitigation measures include blocking access to specific REST API endpoints. Security professionals are urged to update their WordPress installations immediately to prevent potential exploitation.
Key Points: • A critical RCE vulnerability in WordPress affects over 500 million sites. • Emergency patch version 7.0.2 has been released to fix the flaw. • Temporary mitigations include blocking specific REST API endpoints.