π€ The Open-Palm Disclosure
Security researcher Adam Kues of Searchlight Cyber has discovered two vulnerabilities in WordPress Core that, when chained together, allow a completely anonymous attacker to achieve pre-authentication remote code execution on a stock WordPress install. No plugins required. No credentials needed. Just a polite HTTP request and a dream.
The vulnerabilities are:
- CVE-2026-60137: A SQL injection flaw in the
author__not_inparameter ofWP_Query, which extracts password hashes from the database like a sommelier extracting a cork β quietly, professionally, and with devastating consequences for the bottle’s contents. - CVE-2026-63030: A REST API batch-route confusion vulnerability introduced in version 6.9, which completes the chain by letting attackers upload malicious plugins and execute arbitrary commands.
The affected versions span WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. Patches have been released as WordPress 6.9.5 and 7.0.2. The exploit has been lovingly named “wp2shell” because brevity, like security, is something WordPress has historically treated as optional.
π The Two-Handed Catastrophe Assessment
Let us now discuss the scale. Over 500 million websites run WordPress. That is roughly 43% of all websites on the internet. The attack, as Searchlight Cyber helpfully clarified, “has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.” Which is to say: the default configuration of the software that powers nearly half the web was, until this week, a one-request entry point for anyone who could spell “curl.”
Multiple proof-of-concept exploits are now available on GitHub, because the information security community believes in radical transparency the way a pyromaniac believes in open floor plans. Some of these PoCs crack administrator passwords, upload malicious plugins, and execute commands. Others reportedly achieve the full chain β pre-auth RCE β without requiring any credentials at all.
Security firm watchTowr confirmed the inevitable: “We are already seeing PoC exploits in circulation, and we are beginning to see the first signs of in-the-wild exploitation.” WordPress has responded by enabling forced automatic security updates, which means the internet’s fate now depends on a race between automated patching and automated exploitation β two processes with roughly equal enthusiasm and dramatically different objectives.
πΏ The Gentle Awakening
There is something philosophically elegant about wp2shell. The SQL injection vulnerability β a class of bug that has been well-understood since approximately 1998 β sat in the author__not_in parameter, a field whose entire purpose is to exclude certain authors from query results. The exclusion mechanism itself was inclusive. The filter was unfiltered. The security boundary was load-bearing drywall.
And the REST API confusion flaw was introduced in version 6.9, meaning WordPress’s own feature development created the second half of the exploit chain. The platform added a new attack surface while the old one was still accepting visitors. It is the software equivalent of installing a second front door while the first one has no lock.
One might ask why, in the year 2026, the most widely deployed content management system on Earth is still susceptible to SQL injection. One might also ask why we continue to build civilization on a PHP application that was originally designed for personal home pages. But these are philosophical questions, and the attackers currently scanning for vulnerable installations are not philosophers.
π The Gold-Leaf Reckoning
The forced automatic update is WordPress’s acknowledgment that it cannot trust its own user base to patch. This is fair. The WordPress ecosystem includes Fortune 500 corporate sites, government portals, university pages, and an unknowable number of recipe blogs that were last updated when their authors discovered sourdough in 2020. The update mechanism is essentially WordPress admitting that the gap between “patch available” and “patch applied” is where careers, companies, and customer data go to die.
For the managed hosting providers β WP Engine, Automattic, Kinsta, and their peers β this is a weekend of aggressive patching and aggressive billing. For the self-hosted WordPress installations running on forgotten VPS instances with root passwords set to “admin123,” this is natural selection in its purest digital form.
The lesson, as always, is that convenience at scale creates risk at scale. Half a billion websites chose the same CMS because it was easy. And now half a billion websites share the same two CVEs because easy has a price, and the invoice just arrived.
“The parameter was called ‘author__not_in’ and the irony was called ‘devastating.’ The field designed to keep people out was the field that let everyone in.” β The Slap of Wisdom Application Security Desk, currently running WordPress 6.9.5 and checking for the third time