wp2shell: Unauthenticated RCE in WordPress Core — No Login, No Plugins, No Preconditions, 500 Million Sites at Risk
CVE-2026-63030 (Critical) chains with CVE-2026-60137 (CVSS 9.1) via the REST API batch endpoint that ships in every WordPress install since 5.6. A single anonymous HTTP request to /wp-json/batch/v1 is enough. No login, no plugins, no user interaction. Affects 6.9.0–7.0.1. WordPress forced auto-update to 7.0.2 and 6.9.5 — but verify it actually landed. Sites with disabled auto-updates remain exposed. Investigate for compromise if you were running an affected version.
Read Full Brief →Threats & Attacks
REST API batch endpoint. Single anonymous HTTP request. No preconditions. 6.9.0–7.0.1. 500M+ sites. Forced auto-update pushed — verify it landed. Sites with disabled auto-updates remain exposed. Investigate for prior compromise if you were running affected version.
292/316 tasks. All 7 benchmarks saturated. Evaluation system declared broken. 32-point gap from token budget alone. UK AISI confirmed. GPT-5.6 government-gated.
Just a file copy. 11 shims trusted by every UEFI computer. BlackLotus, Bootkitty enabled. Runs before OS, before EDR, survives OS reinstall. Apply June dbx update.
5,937 login failures = leaked heap memory. MFA bypassed. SYSTEM in minutes. Same playbook across 6 victims. Stolen tokens survive patching — kill all sessions.
Autonomous LLM: initial access to encryption to ransom demand. No human at keyboard. Key never stored. Ran on victim’s own stolen API keys. Old CVEs, unpatched servers.
Six-instruction race window. Root 99%. Reaches Android from Chrome’s renderer sandbox. Third LPE in two weeks. No workaround — patch and reboot.
Intelligence & Deep Dive
The DataWater Intelligence Brief
Weekly CISO-level threat analysis — breaking vulnerabilities, technical depth, zero noise.
