New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code — Swati KhandelwalJul 17, 2026Vulnerability / Web Security [https://blogger.googleu
What’s new: A critical vulnerability, dubbed wp2shell, has been discovered in WordPress core that allows unauthenticated attackers to execute code on affected sites. This flaw affects WordPress versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1, which have been patched in versions 6.9.5 and 7.0.2 released on July 17, 2026. The vulnerability can be exploited through an anonymous HTTP request without any preconditions.
Who’s affected
All WordPress installations running versions 6.9.0 to 6.9.4 and 7.0.0 to 7.0.1 are vulnerable. WordPress has an estimated total install base of over 500 million websites, but the vulnerable code only exists in the specified versions released since December 2025.
What to do
- Update to WordPress version 6.9.5 or 7.0.2 immediately to mitigate the vulnerability.
- If unable to update, consider implementing one of the following temporary mitigations:
- Block access to the batch endpoint at the WAF level by blocking both /wp-json/batch/v1 and rest_route=/batch/v1.
- Disable the WP REST API using a plugin to prevent unauthenticated access.
- Use a drop-in plugin that rejects anonymous /batch/v1 requests.



