Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-63030

WordPress Core unauthenticated RCE (wp2shell)

A critical unauthenticated remote code execution flaw in WordPress Core (CVE-2026-63030). GitHub Security Advisory issued July 17, 2026; public PoC circulating.

cat cve-2026-63030.json
Vendor
WordPress
Product
WordPress Core (6.9 and 7.0 branches per The Hacker News)
CVSS
9.8
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-63030 — tracked publicly under the researcher tag wp2shell — is a critical unauthenticated remote code execution vulnerability in WordPress Core. A GitHub Security Advisory was published on July 17, 2026, and Rapid7’s Emergent Threat Response post went up the same day. The Hacker News reports a working public proof-of-concept is circulating and that a single anonymous HTTP request is sufficient to trigger code execution against a bare install with no plugins.

Scoring note

There is a public split on scoring. NVD lists CVE-2026-63030 at CVSS 9.8. The GitHub Security Advisory, per Rapid7’s write-up, classifies the flaw as Critical but assigns a CVSS of 7.5. Both source severities are Critical; the numeric split is unresolved as of this filing. Use the vendor advisory as authoritative for your risk register and cite the split explicitly if you’re briefing up.

Affected

Per The Hacker News, the WordPress 6.9 and 7.0 branches are in range. Because the flaw is in core, a WordPress install with zero third-party plugins is exploitable — the plugin ecosystem is not required for the primitive. Refer to the wordpress.org security page for the authoritative patched-version list before you plan the update.

What to do

Update WordPress Core to the patched release. If you cannot patch immediately, take the affected instance off the public internet. A public PoC plus an unauthenticated single-request trigger against a widely deployed CMS is a compromise-scale event on the timescale of hours, not weeks — treat any public-facing WordPress site that has not been updated since July 17 as compromise-adjacent until proven otherwise.