FORSMILE
JA
セキュリティ2026/07/18

[URGENT] WordPress CVE-2026-63030 and others: Immediate Update to Prevent RCE — Risk of Unauthenticated Code Execution

An unauthenticated Remote Code Execution (RCE) vulnerability, CVE-2026-63030 and others, has been identified in WordPress. An immediate update to the patched version is required.

Back to Blog

A critical vulnerability chain, named 'wp2shell', leading to unauthenticated remote arbitrary code execution (RCE) in WordPress, has been discovered, and its patched version was released on July 17, 2026. This vulnerability chain primarily consists of 'REST API Batch Route Confusion (CVE-2026-63030)' and 'SQL Injection within WP_Query (CVE-2026-60137)'. It does not require any special plugins or configurations and poses a risk of code execution on the server with just a single anonymous HTTP request. Within 24 hours of the patch release, Proof of Concept (PoC) exploits have already been published, making the likelihood of active exploitation extremely high. Consequently, the WordPress project has taken the unusual step of enabling mandatory automatic updates.

Immediate Actions to Take

  • Update to the patched versions confirmed by official sources (WordPress 6.8.6, 6.9.5, or 7.0.2)
  • Apply official workarounds until updated (e.g., blocking API endpoints at the web server level)
  • Check for signs of compromise (e.g., suspicious files or processes)

Vulnerability Overview and Scope of Impact

This vulnerability chain, named 'wp2shell', exploits multiple bugs in WordPress's internal processing. Specifically, 'REST API Batch Route Confusion (CVE-2026-63030)' allows access to unintended API routes. When combined with 'SQL Injection within WP_Query (CVE-2026-60137)', this ultimately enables an unauthenticated attacker to execute arbitrary code on the server. WordPress versions 6.9.0 through 6.9.4, and 7.0.0 through 7.0.1 are confirmed to be particularly affected. The patched versions released are 6.8.6, 6.9.5, and 7.0.2. Due to the rapid publication of PoC code, there are concerns about widespread attacks on many sites, leading the WordPress project to trigger mandatory automatic updates, typically reserved for the most severe cases.

⚠ CVE Score — 最高危険度 / CRITICAL
9.8CRITICALCVE-2026-63030

Specific Impact and Attack Scenarios

Attackers can exploit specific batch endpoints of the WordPress REST API to execute arbitrary PHP code on vulnerable WordPress installations without undergoing the normal authentication process. This can lead to severe damage, including website content defacement, data theft, malware injection, and even complete takeover of the server itself. Indeed, within just 24 hours of the vulnerability patch release, 14 repositories, including exploits, scanners, and validation labs, have appeared on GitHub, indicating a very high risk of active exploitation.

Remediation Steps and Verification Methods

From your WordPress admin dashboard, promptly update to the latest versions: WordPress 6.8.6, 6.9.5, or 7.0.2. If automatic updates are enabled, it might already be applied, but please check your version and consider manual application to be safe. If updating is difficult, you can implement a workaround by temporarily blocking access to the REST API batch endpoint, which serves as an attack vector, in your web server (e.g., Nginx) configuration. Additionally, in preparation for a potential compromise, it is recommended to regenerate site credentials (database passwords, secret keys, etc.) and authentication salts, and to check logs for any suspicious files or database changes.

nginx
location ~* /wp-json/batch/v1 {
    deny all;
    # allow <信頼できるIPアドレス>;
    return 403;
}
📦
Amazon で関連書籍・ツールを検索
cybersecurity server security tools
Amazonで探す →(アソシエイトリンク)

Reference Sources / Official Patch Information

Related articles