Skip to content
feed: live
>_ 0dayNews
wordpress
● Breaking

WordPress Core RCE (wp2shell): CVE-2026-63030, PoC public

A critical unauthenticated remote code execution flaw in WordPress Core got a CVE, a GitHub advisory, and a working public PoC on July 17, 2026.

WordPress Core RCE (wp2shell): CVE-2026-63030, PoC public
Image: 0dayNews / 0dayNews Editorial · All rights reserved
airgap airgap · Published · 3 min read

Confirmed: a critical unauthenticated remote code execution vulnerability in WordPress Core received the tracking ID CVE-2026-63030 on July 17, 2026, published under the researcher tag wp2shell. Rapid7 issued an Emergent Threat Response write-up the same day. The Hacker News reports a working proof-of-concept is public and that a bare install with zero plugins is in range.

If you run a WordPress instance that faced the internet unpatched after July 17, treat it as compromise-adjacent until you can prove otherwise.

What is confirmed

  • CVE ID. CVE-2026-63030, assigned via a GitHub Security Advisory on July 17. Verified against NVD.
  • Vulnerability class. Unauthenticated remote code execution. No account required, no plugin required — the flaw lives in WordPress Core itself.
  • Attack primitive. Per The Hacker News, a single anonymous HTTP request is sufficient to run code on the target instance. Consistent with the researcher tag wp2shell.
  • Affected branches. Per The Hacker News, the WordPress 6.9 and 7.0 branches were in range prior to the patched release. Refer to the wordpress.org security page for the authoritative patched-version list.
  • PoC state. Public. The Hacker News reports the full mechanism has been published and a working proof-of-concept is circulating.

The scoring split

There is a public split on CVSS. NVD lists CVE-2026-63030 at 9.8. Rapid7’s write-up notes that the GitHub Security Advisory itself classifies the severity as Critical but assigns a CVSS of 7.5. Both source severities land at Critical; the numeric gap between the two is unresolved as of this filing. Cite both if you’re briefing up — the discrepancy is going to come up.

What is not confirmed

  • In-the-wild exploitation. As of this filing, no named vendor telemetry of active use has been published. Unconfirmed — treat accordingly. A public PoC on an unauthenticated single-request primitive against WordPress narrows the window between disclosure and exploitation to hours, not weeks; the setup for exploitation is present, the observation is not yet.
  • The second CVE ID. The Hacker News reports that a companion persistent-object-cache condition has surfaced alongside wp2shell and now carries its own CVE ID. That second ID is not yet reflected in the summary we have. Only CVE-2026-63030 has been independently verified against NVD; the companion is real per the outlet and tracked as a linked issue until we have the ID in hand.
  • KEV status. CISA had not added CVE-2026-63030 to the Known Exploited Vulnerabilities catalog at the time of writing. Expect that to change quickly if exploitation is observed against federal-civilian assets.

Why this one matters

WordPress runs a large share of the public web — that is the point of the wordpress topic hub on this site. An unauthenticated RCE in core — not a plugin, not a theme — means the exploitable surface is not gated behind third-party ecosystem choices. Every public-facing WordPress instance in the affected branches is a candidate target the moment the PoC is stable enough to weaponize, and per The Hacker News, it is.

This is a different failure mode than the plugin-side pattern we covered in Australia’s ACSC CMS advisory listing 18 CVEs under exploitation, or the LLM-assisted plugin-zero-day discovery Intruder disclosed in its vending-machine write-up. Those are ecosystem-side stories. wp2shell is a core-side story, and the blast radius is correspondingly larger.

What defenders can do

  • Update WordPress Core. The GHSA-published patched release is the fix. Refer to the wordpress.org security page for the exact patched-version number and apply at or above it.
  • If you cannot patch immediately, take the instance off the public internet. For an unauthenticated single-request RCE, network-layer removal is the only reliable near-term control.
  • Assume any unpatched public-facing WordPress instance is a target. WordPress-hosting attack surfaces are enumerated at massive scale as a matter of course; a working PoC on an unauthenticated primitive is the trigger for that enumeration to become exploitation.
  • Watch for the second CVE. Track the companion persistent-object-cache condition once its ID lands.
  • Watch KEV. If CISA adds this one, the timeline for federal-civilian remediation compresses to days under BOD 26-04.

This piece will be updated when the companion CVE ID lands, when CISA adds wp2shell to KEV, or when in-the-wild exploitation is confirmed by a named vendor.

Sources

Confidence: CVE assignment and vulnerability class confirmed and independently verified. Public PoC availability as-reported by The Hacker News. In-the-wild exploitation: unconfirmed. Companion CVE ID: pending.

Related CVEs

Found this useful? Share it.