Particle.news

WordPress Issues Emergency Patches for Critical wp2shell RCE

The fixes close a pre-auth REST API batch-route confusion plus SQL injection chain that can let an anonymous user run code on recent installs.

Overview

  • A Searchlight Cyber researcher privately reported the flaw and published a non-exploit writeup called wp2shell with a checker to let site owners test their installs.
  • WordPress released security updates (6.9.5 and 7.0.2) and, on Friday, pushed forced auto-updates to speed patching for affected 6.9 and 7.0 releases.
  • The bug chain combines a REST API batch-route confusion introduced in 6.9 with an SQL injection in WP_Query, and it can lead to pre-auth remote code execution on default installs.
  • Researchers published temporary mitigations such as blocking /wp-json/batch/v1 and ?rest_route=/batch/v1, disabling the REST API, or deploying a short drop-in plugin while sites update.
  • Tracking and response are complicated because public proof-of-concept exploits and some reports of in-the-wild activity appeared after the patch and because CVE assignment and scanner signatures remain inconsistent, which may slow detection.