Key Takeaways
- An unauthenticated (anonymous) HTTP request can trigger remote code execution (RCE) on any default WordPress install running versions 6.9.0‑6.9.4 or 7.0.0‑7.0.1.
- The flaw resides in the core REST API batch route and involves a confusion that leads to SQL injection, ultimately allowing code execution; it requires no plugins or authentication.
- WordPress patched the issue in releases 6.9.5 and 7.0.2 (also present in 7.1 beta2) and pushed the fixes via its forced‑auto‑update mechanism on July 17, 2026.
- No CVE identifier or CVSS score has been assigned yet, so scanners that rely on CVE data will not flag the vulnerability; administrators must verify versions manually.
- Temporary mitigations include blocking both /wp-json/batch/v1 and the query‑string variant rest_route=/batch/v1 at a WAF, disabling the REST API entirely, or using a drop‑in plugin that rejects anonymous batch requests—each may break legitimate integrations.
Overview of the Vulnerability
The security issue identified by Adam Kues of Assetnote (operating under the Searchlight Cyber brand) is a pre‑authentication remote code execution flaw present in WordPress core. An attacker can send a specially crafted anonymous HTTP request to the REST API’s batch endpoint and achieve arbitrary code execution on the server without needing any plugins, themes, or authenticated access. The vulnerability stems from a confusion in how the batch route processes requests, which can be leveraged to inject SQL that ultimately leads to code execution. Because the bug lives in the core codebase, even a “bare” WordPress installation with zero plugins is exploitable.
Discovery and Reporting
Kues discovered the flaw during routine security research and reported it through WordPress’s HackerOne bug‑bounty program. The detailed write‑up, published under the pseudonym wp2shell, emphasizes that the attack has “no preconditions and can be exploited by an anonymous user.” To assist site owners while keeping the technical specifics under wraps, Assetnote launched a public checker at wp2shell.com where administrators can test whether their instance is vulnerable. As of July 18, 2026, no public exploitation attempts have been observed, likely because the details remain non‑public and no CVE‑based signatures exist yet.
Affected Versions and Patches
Two version ranges are impacted:
- WordPress 6.9.0 through 6.9.4 – fixed in 6.9.5
- WordPress 7.0.0 through 7.0.1 – fixed in 7.0.2
Both patches were released on July 17, 2026, alongside the 7.1 beta2 build, which also incorporates the fix. WordPress employed its forced‑auto‑update system to push the updates, though it has not confirmed whether sites that have explicitly disabled auto‑updates received the patch. Administrators are advised to verify the actual version running on their servers rather than assuming the update arrived automatically. Sites still on the older 6.8 branch are not vulnerable to this specific flaw, though they may have pending updates for unrelated issues (e.g., a second SQL‑injection bug addressed in 6.8.6).
Technical Details (High‑Level)
WordPress’s release notes describe the bug as “a REST API batch‑route confusion and SQL injection issue leading to Remote Code Execution.” The vulnerable code resides in three files modified in the 7.0.2 patch:
/wp-includes/rest-api/class-wp-rest-server.php/wp-includes/class-wp-query.php/wp-includes/rest-api.php
The batch endpoint (/wp-json/batch/v1) has been part of WordPress since version 5.6 (November 2020) and is publicly documented. What changed in the 6.9 series to expose the flaw has not been disclosed in the advisories, but the patch indicates that the logic handling batch requests was adjusted to prevent the confusion that allowed SQL injection to propagate to code execution paths. No CVE identifier or CVSS score has been assigned as of July 18, 2026, meaning that standard vulnerability scanners relying on CVE feeds will not automatically detect the issue.
Mitigation Options (Stopgap Measures)
Until a site can be updated, Searchlight recommends three temporary mitigations, each of which may interfere with legitimate REST API usage:
- Web Application Firewall (WAF) Rules – Block both the path‑based endpoint
/wp-json/batch/v1and the query‑string variantrest_route=/batch/v1. Blocking only one leaves the other open, so both must be covered. - Disable the WP REST API – Turning off the REST API entirely eliminates unauthenticated access to the batch route, but it also breaks any plugins, themes, or headless integrations that rely on REST endpoints.
- Drop‑in Plugin – Deploy a small plugin that hooks into
rest_pre_dispatchto reject anonymous requests targeting/batch/v1. This approach is less disruptive than a full API disable but still requires careful testing to ensure legitimate batch requests from authenticated users are not inadvertently blocked.
All three measures are intended as short‑term defenses; the definitive solution is to apply the official patches.
Impact and Exploitation Landscape
WordPress powers an estimated 500 million websites, although the vulnerable subset is limited to sites running the 6.9 or 7.0 series released after December 2, 2025. Consequently, every potentially affected site is running a release less than eight months old, though the exact number of exposed installations remains undisclosed. The absence of a CVE means that automated threat‑intelligence feeds and CISA’s Known Exploited Vulnerabilities (KEV) catalog will not flag the issue until a CVE is assigned. Historically, similar core flaws in WordPress have been weaponized at scale; for example, a caching‑plugin vulnerability earlier in 2026 allowed the WP‑SHELLSTORM group to compromise over 17,000 sites despite being patched and requiring a non‑default setting. The current flaw, being exploitable on a default install with no authentication, presents a potentially larger attack surface if weaponized.
Open‑Source Considerations
Because WordPress core is open source, the patches for 6.9.5 and 7.0.2 are publicly available in the release repository. This transparency allows anyone to compare the vulnerable and fixed versions, effectively providing a “map” to the bug. The inherent tension for open‑source projects is that releasing a fix also discloses the underlying vulnerability, potentially accelerating exploit development. WordPress’s reliance on its auto‑update mechanism attempts to close this gap by distributing the patch faster than attackers can analyze the diff. The upcoming weeks will reveal whether the forced update succeeded in protecting the majority of sites before active exploitation begins.
Recommendations and Conclusion
Site administrators should prioritize verifying their WordPress version and applying 6.9.5 or 7.0.2 immediately. If immediate updating is not feasible, implement one of the stopgap mitigations outlined above, understanding the possible impact on legitimate REST API functionality. Monitor the wp2shell.com checker or manually inspect the /wp-includes/rest-api/class-wp-rest-server.php, class-wp-query.php, and rest-api.php files for the patched code. Stay tuned for any future CVE assignment, which will enable automated detection via standard vulnerability scanners. Ultimately, the incident underscores the importance of rapid patch distribution in widely used open‑source platforms and the value of layered defenses—such as WAF rules and API hardening—while awaiting official updates.

