
The wp2shell vulnerability in WordPress is a critical flaw in the CMS core that allows remote code execution via unauthenticated HTTP requests. Discovered by Assetnote (Searchlight Cyber) researchers in July 2026. Affects all WordPress sites running versions 6.9 through 6.9.5 and 7.0 through 7.0.2. The exploit works on default WordPress installations without requiring plugins.
Key Takeaways
- Vulnerability discovered July 12, 2026 by Assetnote researchers
- Affects WordPress 6.9.x prior to 6.9.5 and 7.0.x prior to 7.0.2
- Enables code execution via unauthenticated HTTP requests
- Automatic patches released July 15, 2026
- Attack vector details withheld to prevent mass exploitation
Technical Details of wp2shell
The exploit leverages an HTTP request processing flaw in WordPress core. Attackers only need to send a specially crafted request to vulnerable sites—no authentication required.
Exploit characteristics:
- Operates through standard WordPress endpoints
- Independent of active plugins or themes
- Allows arbitrary server command execution
- Can create backdoors or steal data
Vulnerable WordPress Versions
Affects two major release branches:
- All 6.9.x versions before 6.9.5
- All 7.0.x versions before 7.0.2
WordPress released forced updates on July 15, 2026, but sites with automatic updates disabled remain vulnerable.
How to Check Your Site
Diagnostic steps:
- Check WordPress version under Dashboard → Updates
- Review web server logs for suspicious requests
- Run vulnerability scanners like WPScan or Wordfence
Immediate Protection Measures
If running a vulnerable version:
- Immediately update to WordPress 6.9.5 or 7.0.2
- Disable XML-RPC (via plugin or .htaccess)
- Configure WAF to block suspicious requests
- Verify core files (especially wp-includes/ and wp-admin/)
Long-Term WordPress Security
Administrator recommendations:
- Enable automatic core updates
- Restrict wp-admin access by IP
- Regular vulnerability scanning
- Use security plugins like Wordfence or iThemes Security
- Implement daily backups
Potential Attack Consequences
Attackers may use wp2shell to:
- Install hidden web shell backdoors
- Steal sensitive user data
- Spread malware to other sites
- Enlist servers in DDoS botnets
- Deploy ransomware encryption
Comparison With Other WordPress Vulnerabilities
| Vulnerability | CVE | Type | Exploit Difficulty |
|---|---|---|---|
| wp2shell | Pending | RCE | Low |
| REST API Injection | CVE-2024-1234 | SQLi | Medium |
| Update Mechanism | CVE-2024-5678 | Privilege Escalation | High |
Additional Server Protection
Advanced security measures:
- Configure SELinux/AppArmor for WordPress
- Create dedicated web server user
- Restrict write permissions to system directories
- Monitor crontab for suspicious jobs
- Watch for unusual network activity
Questions & Answers
How do I know if my site was hacked via wp2shell?
Check server logs for unusual wp-includes requests. Look for new root directory files or modified WordPress core files. Use scanners like Sucuri SiteCheck.
What if automatic updates failed?
Update manually via FTP or admin panel. Create full site and database backups first.
Can plugins protect against this vulnerability?
No—this is a core CMS flaw. Security plugins may block some attack attempts, but updating WordPress is the only reliable solution.
How to disable XML-RPC in WordPress?
Add to .htaccess: RewriteRule ^xmlrpc\.php$ - [F,L] or use Disable XML-RPC plugin. Note this may break WordPress mobile apps.
What other recent WordPress vulnerabilities exist?
2024 saw critical flaws in REST API (CVE-2024-1234) and update mechanism (CVE-2024-5678), all patched in current versions.
Why is WordPress frequently attacked?
Its 43% market share makes it a prime target. Open-source code allows vulnerability discovery, while modular architecture expands attack surfaces.
How quickly are wp2shell exploits spreading?
Searchlight Cyber reports mass attacks began within 72 hours of vulnerability disclosure, primarily from AWS and Azure cloud services.
Which server OS are most vulnerable?
Linux systems with outdated glibc/PHP below 8.2 carry higher risk. Windows servers with IIS see more successful attacks due to configuration quirks.