WordPress released 6.9.5 and 7.0.2 on July 17 to patch a pre-authentication remote code execution vulnerability, tracked publicly as wp2shell, that lets an unauthenticated attacker run arbitrary code against a default WordPress install with no plugins required.
REST API Batch Route Confusion Plus SQL Injection
Researcher Adam Kues at Searchlight Cyber subsidiary Assetnote reported the flaw through WordPress's HackerOne program. In its release notes, WordPress described the finding as "a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution." The batch endpoint has shipped in WordPress core since version 5.6 in November 2020, but the exploit chain only became reachable in the 6.9 branch, released in December 2025.
Two ranges are affected: WordPress 6.9.0 through 6.9.4, fixed in 6.9.5, and 7.0.0 through 7.0.1, fixed in 7.0.2. The 7.1 beta2 pre-release ships the same fix, and sites still on the 6.8 branch received a 6.8.6 update that closes the related SQL injection reported separately.
Force-Push Instead Of Waiting
Because a proof of concept requires no configuration and no plugins, WordPress took the unusual step of force-pushing 6.9.5 and 7.0.2 through its auto-update system rather than waiting for administrators to click Update. Site owners who explicitly disabled auto-updates should treat the patch as manual work; WordPress has not clarified whether the forced push overrides opt-outs. Assetnote is holding the technical writeup and has published a wp2shell.com checker so operators can test their own installs.
No CVE Yet And Mitigations Are Blunt
Neither WordPress nor Searchlight has assigned a CVE ID or CVSS score, which means CVE-keyed vulnerability scanners will not flag the flaw and CISA cannot yet add it to the Known Exploited Vulnerabilities catalog. Operators are told to track it by version number. Emergency stopgaps until the patch lands include WAF rules blocking both /wp-json/batch/v1 and rest_route=/batch/v1, disabling the WordPress REST API entirely, or dropping in a small must-use plugin that rejects anonymous requests to the batch route at rest_pre_dispatch.
Why It Matters
WordPress powers a large fraction of the public web, so a default-configuration RCE is close to a worst case. There have been no confirmed exploitation attempts as of July 18, but public diffs between 7.0.1 and 7.0.2 are already available in the WordPress release archive, and the same team that dissected Drupal's core SQL injection in May turned that patch into working proofs of concept the same day. That is the clock every WordPress operator is racing against. The incident also arrives on the heels of Microsoft's record 570-CVE July Patch Tuesday and SonicWall's SMA 1000 CISA-flagged zero-days, an unusually noisy month for pre-auth flaws in widely deployed infrastructure.
Reporting based on coverage from The Hacker News, Searchlight Cyber and the WordPress Core release notes.
