-->
wp2shell: Pre Authentication RCE in WordPress Core › Searchlight Cyber
Skip to content
July 17, 2026
Security advisory
Adam Kues
wp2shell: Pre Authentication RCE in WordPress Core
Stay current: Get research alerts for newly disclosed vulnerabilities and exposures
Searchlight Cyber’s security research team has discovered a pre-authentication RCE in WordPress Core. The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.
It is estimated that over 500 million websites use WordPress.
Given the severity of the bug and to give defenders time to patch, we are not releasing technical details at this time. We are, however, releasing a website to determine if your instance is vulnerable. You can find it here: https://wp2shell.com/
Check if your site is impacted
wp2shell[.]com is a public tool developed by Searchlight Cyber
Affected WordPress versions
: not affected.
6.9.0 - 6.9.4: affected.
7.0.0 - 7.0.1: affected.
Mitigation
The best way to protect yourself is to update WordPress to version 7.0.2, or 6.9.5 if you are on the 6.9 branch. as soon as possible. If this isn’t possible, you can temporarily protect your instance by blocking anonymous access to the batch API, either by:
Installing a plugin that blocks anonymous access to the rest API entirely; or
Blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level.
Note that both these solutions may have an impact on legitimate use of the site and should only be considered emergency temporary measures until you can update.
About Searchlight Cyber
Customers of Searchlight Cyber’s ASM solution, Assetnote, are always first to receive checks for the novel vulnerabilities we discover – often weeks or months before public disclosure. Our Security Research Team continues to dig beyond public PoCs to deliver high-signal detections to our platform. Learn more.
Share this post
in this article
Related Research
Research
Smashing the ServiceNow Sandbox – Pre Authentication RCE
Find out more
Research
CargoWise WebTracker – The Keys Were in the Cargo
Find out more
Research
Two Bypasses for Chrome’s Sanitizer API
Find out more
Research
Keys to the Kingdom: Anonymous SQL Injection in Drupal Core (CVE-2026-9082)
Find out more
Book your demo: Identify cyber threats earlier– before they impact your business
Searchlight Cyber is used by security professionals and leading investigators to surface criminal activity and protect businesses. Book your demo to find out how Searchlight can:
Enhance your security with advanced automated dark web monitoring and investigation tools
Continuously monitor for threats , including ransomware groups targeting your organization
Prevent costly cyber incidents and meet cybersecurity compliance requirements and regulations
Fill in the form to get you demo
UK Office
Pure Offices, One Port Way, Port Solent,
Portsmouth PO6 4TY, United Kingdom
Registered in England & Wales
Company Registration Number - 10765196
+44 (0)345 862 2925
USA Office
44 Merrimac Street Newburyport, MA 01950
+1 (202) 6847516
beacon Cybersecurity newsletter
Get Cybersecurity News, Insights, & Intelligence straight to your inbox
Sign Up
Connect with us
Copyright © 2026 Searchlight Cyber