- WordPress patched a pre-authentication remote code execution flaw in versions 6.9.5 and 7.0.2 on July 17, 2026.
- The bug, found by Adam Kues of Searchlight Cyber’s Assetnote, allows an anonymous HTTP request to run code on a default install with zero plugins.
- No CVE ID or CVSS score has been assigned yet, and no exploitation attempts have been reported as of July 18.
- Mitigations include blocking the /wp-json/batch/v1 endpoint at a WAF or disabling the REST API entirely.
An anonymous HTTP request can remotely execute code on any WordPress site running versions 6.9.0 through 6.9.4 or 7.0.0 through 7.0.1, even on a bare install with no plugins. Adam Kues at Assetnote, the attack surface management arm of Searchlight Cyber, discovered the flaw and reported it through WordPress’s HackerOne program. The firm’s writeup, published under the name wp2shell, states the attack has “no preconditions and can be exploited by an anonymous user.”
WordPress shipped 6.9.5 and 7.0.2 on July 17, 2026, and enabled forced updates through its auto-update system. However, the company has not said whether the forced push reaches sites that turned auto-updates off. The release post describes the finding as “a REST API batch-route confusion and SQL injection issue leading to Remote Code Execution.” The batch endpoint has existed since WordPress 5.6 in November 2020, and nothing published so far explains what changed in version 6.9 to open it.
Neither advisory carries a CVE ID or a CVSS score, and no CVE record had appeared by July 18. Consequently, CISA cannot add the flaw to its KEV catalog until a CVE is assigned. Searchlight’s post estimates that over 500 million websites run WordPress, though only those on releases from 6.9 onward (shipped December 2, 2025) are affected. For administrators unable to update immediately, Searchlight Cyber recommends blocking both /wp-json/batch/v1 and rest_route=/batch/v1 at a WAF, or disabling the REST API altogether. No exploitation attempts have been reported as of July 18, but with no public signature to match, visibility remains limited.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- ECB: Stablecoin growth puts European bank deposits at risk
- Tesla Launches Megacharger Network with Bloomington Station
- Apple Overtakes Nvidia as World’s Most Valuable Public Company
- Galaxy Digital buys naming rights to Texas Tech stadium in 15-year deal
- ViteVenom: 7 Malicious npm Packages Target Vite Ecosystem
