Qutzl Insights

Advertisement

4 min read

WordPress Core CVE-2026-63030: patch 7.0.1 and older branches now

Critical unauthenticated RCE (wp2shell) hits WordPress 7.0.0–7.0.1 and 6.9.0–6.9.4. What the CVEs mean, which versions are fixed, and what SMBs should do today.

By Michael NarehoodHosting

On July 17, 2026, WordPress published emergency security releases for a critical remote code execution chain known in the industry as wp2shell. If your site runs WordPress 7.0.0 or 7.0.1, or an unpatched 6.9.x build, treat this as an all-hands patch, not a “next maintenance window” item.

Public exploit material is already circulating. WordPress.org has enabled forced automatic updates for affected installs because of the severity.

What was disclosed

Two related issues chain together:

CVE Issue Severity
CVE-2026-63030 REST API batch-route confusion that enables RCE when combined with SQL injection Critical
CVE-2026-60137 SQL injection via WP_Query (author__not_in) High

Together, an unauthenticated attacker can abuse the REST batch endpoint (/wp-json/batch/v1) on a stock WordPress install. No malicious plugin required. Successful exploitation can mean full site takeover: admin access, malicious plugins, data theft, and persistent backdoors.

Credit for the RCE chain goes to Adam Kues (Assetnote / Searchlight Cyber). WordPress documented the fixes in the 7.0.2 release notes.

Which versions are affected and which are fixed

Do not assume “we are on an older major line so we are fine.” Several supported branches needed updates:

Branch Affected Fixed release
7.0 7.0.0 – 7.0.1 7.0.2
6.9 6.9.0 – 6.9.4 6.9.5
6.8 SQL injection only (CVE-2026-60137) 6.8.6
7.1 beta Affected beta builds 7.1 Beta 2
Before 6.8 Not affected by these CVEs No action for this advisory

If you stayed on 7.0.1 (or never took the 6.9.5 / 6.8.6 security builds), you are in the danger zone until you confirm the patched version is live.

What to do today

  1. Check the version in WordPress Admin → Updates (or wp core version via WP-CLI). You want 7.0.2, 6.9.5, 6.8.6, or a later fixed release for your branch.
  2. Update immediately: Dashboard → Updates → Update Now, or apply your usual staging-then-production process without delaying production if the site is internet-facing.
  3. Confirm auto-update actually landed. Forced updates help, but hosting freezes, failed cron, object-cache quirks, and “managed” platforms that pin versions can leave you behind. Verify the running version after the fact.
  4. Inventory every public WordPress site you own or manage: marketing sites, microsites, staging that is reachable from the internet, client sites, and forgotten subdomain installs.
  5. If a site was exposed while unpatched, assume compromise until proven otherwise: review users and plugins, scan for unexpected PHP/files, rotate credentials and application passwords, and check web server / WAF logs around the disclosure window.

Temporary mitigations (only until you patch)

Patching is the real fix. If you truly cannot update for a few hours, WordPress-adjacent guidance has included blocking unauthenticated access to the batch REST route (WAF rules or a must-use plugin). Treat any workaround as short-term cover, not a substitute for 7.0.2 / 6.9.5 / 6.8.6.

Why this matters for small businesses

WordPress still powers an enormous share of business websites. An unauthenticated RCE in core is the kind of flaw attackers automate against the whole internet within hours of public PoCs. “We only have a brochure site” is not a reason to wait. Brochure sites are often the foothold into email, forms, and brand trust.

If Qutzl manages your WordPress hosting or website care, we are treating this as a priority patch cycle. If you run WordPress yourself and want a second set of eyes on version inventory and post-patch hygiene, contact us or open a ticket.

Bottom line: Get off 7.0.1 (and any other unpatched affected branch) today. Confirm 7.0.2, 6.9.5, or 6.8.6, then verify nothing unexpected changed while you were vulnerable.