Security Bulletin — July 18, 2026: Emergency WordPress Core Update — Pre-Authentication SQL Injection Chain "wp2shell" (CVE-2026-60137 & CVE-2026-63030)
18 July 2026 · jproxx Security
This is our daily security overview, in which we review the published vulnerabilities and highlight those that are actually relevant for the operation of WordPress websites, online shops, and PHP applications. Every statement in this bulletin has been verified against the underlying primary source and linked at the end of the respective section. July 18 is, exceptionally, dominated by a single but exceptionally serious event: a vulnerability in the WordPress core itself — not in a plugin or theme. We have therefore deliberately set aside the usual selection of four smaller plugin flaws in favor of a focused edition. The WordPress security team has released the emergency versions 7.0.2, 6.9.5, and 6.8.6 and triggered forced background updates for affected installations. The cause is two related defects that combine into a pre-authentication attack chain tracked in security coverage under the name “wp2shell”: a SQL injection in the core query builder and a route confusion in the REST batch endpoint that makes the injection reachable without any login. Because WordPress powers a dominant share of all websites worldwide, this event affects practically every WordPress operator. There was no new Shopware advisory and no new PHP core vulnerability on this day.
CVE-2026-60137 — SQL Injection in the WordPress Core via the author__not_in Parameter (scoring disputed)
The core class WP_Query, through which WordPress assembles virtually all database queries
for posts and content, does not adequately sanitize the author__not_in parameter before
it is built into the SQL WHERE clause. When code passes untrusted input to this parameter,
attacker-controlled SQL can be injected into the database query. The risk assessment is
notably split: the assigning authority (WPScan, as CNA) rates the flaw in isolation as
medium with a CVSS score of 5.9 (vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), because on
its own it requires a plugin or theme to pass untrusted input to the parameter. The
supplementary assessment by CISA-ADP, by contrast, assigns a critical score of 9.1
(vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). The vulnerability class is CWE-89 (Improper
Neutralization of Special Elements used in an SQL Command). A successful injection allows
arbitrary database contents to be read — including user records and the password hashes of
administrators, which can be cracked offline. Affected are the WordPress branches 6.8.0 to
6.8.5, 6.9.0 to 6.9.4, and 7.0.0 to 7.0.1; versions before 6.8 are not affected. The core
fixes the issue in versions 6.8.6, 6.9.5, and 7.0.2.
Sources: National Vulnerability Database — CVE-2026-60137 · WordPress Security Advisory GHSA-fpp7-x2x2-2mjf
CVE-2026-63030 — REST Batch-Endpoint Route Confusion Makes the Injection Pre-Authenticated (critical)
The day’s true severity arises from the chaining. WordPress’s REST API batch endpoint
(/wp-json/batch/v1), which bundles multiple API calls into a single request, exhibits a
route confusion (CWE-436, Interpretation Conflict): the endpoint interprets the bundled
sub-requests differently from what the access checks defined for the individual routes
expect. This allows the SQL injection described above — which on its own would only be
reachable by a logged-in user or through a plugin that feeds it input — to be triggered
without any login. From the combination emerges the full, pre-authenticated path that runs
from the SQL injection through to remote code execution, referred to in coverage as
“wp2shell”. The assigning authority (WPScan, as CNA) rates this chain as critical with a
CVSS score of 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H); the supplementary CISA-ADP
assessment stands at 7.5. Affected by the route confusion are the branches 6.9.0 to 6.9.4
and 7.0.0 to 7.0.1 — so the full, login-free chain hits these versions, whereas in the 6.8.x
branch only the underlying SQL injection is present. The flaw is fixed in versions 6.9.5 and
7.0.2.
Sources: National Vulnerability Database — CVE-2026-63030 · WordPress Security Advisory GHSA-ff9f-jf42-662q
What Operators Should Do Now
The WordPress security team considers the matter serious enough that it triggered forced
background updates via the auto-update system for all affected installations. On sites where
automatic updates are active, the update should therefore already be in place or begin
shortly. Do not rely on that alone, however: check the installed core version under
“Updates” in the dashboard and confirm that it reads 7.0.2, 6.9.5, or 6.8.6 (depending on
the branch). Wherever automatic core updates have been disabled — for instance through a
constant in wp-config.php or via a management tool — the update must be applied manually
without delay. Because a publicly described exploitation path for the full chain exists and
the REST batch endpoint is reachable without authentication, prompt action is warranted; a
temporary access rule protecting the /wp-json/batch/v1 endpoint can bridge the attack
surface but does not replace the update.
Sources: WordPress 7.0.2 Security Release
Unsure whether you are affected? Get in touch.
This notice serves security-awareness purposes. The official advisories of the respective vendor and the primary sources linked above are always authoritative.