wp2shell: Pre Authentication RCE in WordPress Core
wp2shell
Pre Authentication RCE in WordPress Core
Searchlight Cyber's security research team has discovered a<br>pre-authentication RCE in WordPress Core.<br>The attack has no preconditions and can be exploited by an anonymous user in a stock<br>install of WordPress with no plugins.
It is estimated that over 500 million websites use WordPress. Given the severity of<br>the bug and to give defenders time to patch, we are not releasing technical details<br>at this time. We are, however, releasing a checker so you can determine whether your<br>instance is vulnerable. Check your site directly below.
wp2shell checker
Scan
Versions Affected
not affected<br>6.9.0 - 6.9.4affected, fixed in 6.9.5<br>7.0.0 - 7.0.1affected, fixed in 7.0.2
Mitigation
The best way to protect yourself is to update WordPress immediately. WordPress 7.0.2<br>contains the fix (or 6.9.5 if you are on the 6.9 branch). Until you can update, there<br>are multiple mitigation options:
Install the plugin Disable WP REST API to disable unauthenticated<br>users from using the WordPress API. This is the easiest option but does have a possible<br>low risk of breaking existing functionality.
Use a WAF to block the path /wp-json/batch/v1 and the query parameter<br>rest_route=/batch/v1 (both of these patterns must be blocked to secure<br>your instance).
Drop the following custom plugin into<br>wp-content/plugins/disable-batch-api-for-unauth.php on the filesystem for<br>your WordPress instance via SSH or FTP and enable it from Plugins in<br>the admin panel:<br>get_route() );
if ( '/batch/v1' !== $route || is_user_logged_in() ) {<br>return $result;
return new WP_Error(<br>'rest_batch_authentication_required',<br>'Authentication is required to use the batch API.',<br>array( 'status' => 401 )<br>);
add_filter( 'rest_pre_dispatch', 'wporg_require_authentication_for_rest_batch', -1000, 3 );
Note that these solutions may have impact on legitimate use of the site and should only<br>be considered emergency temporary measures until you can update.
Credits
Discovered and authored by<br>Adam Kues<br>of Searchlight Cyber.