WordPress Core unauthenticated RCE (wp2shell)
A critical unauthenticated remote code execution flaw in WordPress Core (CVE-2026-63030). GitHub Security Advisory issued July 17, 2026; public PoC circulating.
- Vendor
- WordPress
- Product
- WordPress Core (6.9 and 7.0 branches per The Hacker News)
- CVSS
- 9.8
- EPSS (exploit probability)
- N/A
- Status
- patched
- Published
CVE-2026-63030 — tracked publicly under the researcher tag wp2shell — is a critical unauthenticated remote code execution vulnerability in WordPress Core. A GitHub Security Advisory was published on July 17, 2026, and Rapid7’s Emergent Threat Response post went up the same day. The Hacker News reports a working public proof-of-concept is circulating and that a single anonymous HTTP request is sufficient to trigger code execution against a bare install with no plugins.
Scoring note
There is a public split on scoring. NVD lists CVE-2026-63030 at CVSS 9.8. The GitHub Security Advisory, per Rapid7’s write-up, classifies the flaw as Critical but assigns a CVSS of 7.5. Both source severities are Critical; the numeric split is unresolved as of this filing. Use the vendor advisory as authoritative for your risk register and cite the split explicitly if you’re briefing up.
Affected
Per The Hacker News, the WordPress 6.9 and 7.0 branches are in range. Because the flaw is in core, a WordPress install with zero third-party plugins is exploitable — the plugin ecosystem is not required for the primitive. Refer to the wordpress.org security page for the authoritative patched-version list before you plan the update.
What to do
Update WordPress Core to the patched release. If you cannot patch immediately, take the affected instance off the public internet. A public PoC plus an unauthenticated single-request trigger against a widely deployed CMS is a compromise-scale event on the timescale of hours, not weeks — treat any public-facing WordPress site that has not been updated since July 17 as compromise-adjacent until proven otherwise.
