Attackers can seize control of WordPress sites by exploiting two critical vulnerabilities, tracked as CVE-2026-63030 and CVE-2026-60137, which can be chained to achieve pre-authentication remote code execution on default WordPress installations running versions 6.9.x and 7.0.x. The flaws, introduced in WordPress 6.9, include a REST API batch-route confusion bug and a high-severity issue, allowing attackers to gain unauthorized access without authentication. Public proof-of-concept exploits are now available for these vulnerabilities, expanding the active attack surface. The disclosure of CVE-2026-63030 is particularly notable, as it introduces a new attack vector1. As a result, administrators should prioritize patching and monitoring their WordPress installations based on their exposure and evidence of exploitation. This vulnerability chain poses a significant risk to WordPress site security, making prompt action necessary to prevent potential takeovers.
Attackers Can Take Over WordPress Sites Using Newly Released wp2shell Exploits
⚡ High Priority
Why This Matters
CVE-2026-63030 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- SecurityAffairs. (2026, July 19). Attackers Can Take Over WordPress Sites Using Newly Released wp2shell Exploits. *SecurityAffairs*. https://securityaffairs.com/195597/hacking/attackers-can-take-over-wordpress-sites-using-newly-released-wp2shell-exploits.html
Original Source
SecurityAffairs
Read original →