In what security experts are calling "peak 2026 energy," WordPress has once again reminded everyone that even a squeaky-clean default install can become a hacker's all-you-can-execute buffet with nothing more than a single anonymous HTTP request.Ladies and gentlemen, meet wp2shell (CVE-2026-63030) — the shiny new pre-auth remote code execution vulnerability in WordPress 6.9 and 7.0. No login required. No plugins. No special configuration. Just point your malicious packet at a vulnerable site and watch the magic happen. It's almost elegant in its laziness.The flaw, discovered by researchers at Assetnote and responsibly reported, cleverly abuses the REST API's batch request handling with a side of SQL injection. Think of it as the software equivalent of leaving the front door wide open while posting on social media about how secure your new smart lock is. WordPress pushed fixes in 7.0.2 and 6.9.5 on July 17, complete with forced auto-updates because apparently enough site owners treat patching like optional dental floss.
If you're running anything from 6.9.0 to 6.9.4 or 7.0.0 to 7.0.1, congratulations — your site was potentially wide open to anyone with basic scripting skills and a grudge (or just boredom). The REST API batch endpoint has been chilling in core since version 5.6, quietly waiting for its villain origin story.WordPress.org deserves a slow clap for the rapid response and forced updates. But let's be real: in a world where millions of sites still run ancient versions like digital fossils, "update now" feels less like advice and more like a cry for help.
What Should You Do? (Spoiler: Not Ignore This)
Update immediately to 7.0.2 or 6.9.5. Yes, right now. Your custom theme will survive.
Check your version and test at the researchers' checker (because trusting auto-updates is apparently how we got here).
Scan logs for suspicious batch requests — the digital equivalent of checking for muddy footprints in your living room.
If updating is somehow impossible (we've all heard the excuses), block the batch endpoint or use temporary mitigations. But remember: bandaids don't fix arteries.
For the truly paranoid (or responsible), this is yet another reminder that "default install with zero plugins" is not the flex some people think it is.






