Aikido

Unauthenticated RCE in WordPress core (wp2shell), via SQL injection

Written by
Dania Durnas

SQL injections are still among us. On July 17, WordPress released an emergency security update. Version 7.0.2 fixes an unauthenticated remote code execution flaw in WordPress core that an anonymous attacker can trigger against a stock install with no plugins involved. If your site runs an affected version, update today. WordPress.org has turned on forced auto-updates for affected sites because of how severe this is. We are tracking this vulnerability in Aikido Intel.

Adam Kues at Searchlight Cyber reported the flaw and published a checker at wp2shell.com so you can test whether your site is exposed. (but the site has been going offline occasionally). WordPress core's own advisory describes it as a REST API batch-route confusion and SQL injection issue that chains into remote code execution, with the batch endpoint at /wp-json/batch/v1 as the entry point. Searchlight estimates over 500 million sites run WordPress, so the exposed population is large.

Getting on the correct version is top priority. If you run Aikido Zen, its embedded firewall is built to block the SQL injection this flaw relies on, so an unpatched site keeps a runtime defense while the update rolls out.

Affected versions

The remote code execution flaw affects:

  • WordPress 6.9.0 through 6.9.4, fixed in 6.9.5
  • WordPress 7.0.0 through 7.0.1, fixed in 7.0.2
  • WordPress 7.1 beta, fixed in 7.1 beta2

Anything below 6.9.0 is not vulnerable to the RCE. WordPress 6.8 is exposed to a separate SQL injection issue patched in the same round, so sites on 6.8 should move to 6.8.6. Versions before 6.8 are unaffected by either issue.

What to do now

Update WordPress right away. 7.0.2 has the fix, or 6.9.5 if you are on the 6.9 branch. Most sites with background updates enabled will receive it automatically, though you should confirm the version in your dashboard rather than assuming anything.

If you can't update immediately, the disclosure lists a few temporary measures. You can install a plugin that blocks unauthenticated access to the REST API, block both the path /wp-json/batch/v1 and the query parameter rest_route=/batch/v1 at your WAF, or add a small must-use plugin that requires authentication on the REST batch route. Each of these can interfere with legitimate REST API traffic, so treat them as short-term cover until you patch.

This flaw is tracked in Aikido Intel, our real-time feed that surfaces new vulnerabilities and malware across open-source ecosystems

Runtime protection with Aikido Zen

This is the second SQL injection issue in a single WordPress core release. Developers have been calling SQL injection a solved problem for years, but it still haunts us. It continues to pop up in core software and dependencies, often reachable by anonymous users before there’s a fix.

Aikido Zen is an embedded firewall that runs inside your application and inspects user input as it flows toward your database. It blocks SQL injection, command injection, and path traversal at runtime, and it installs with a few lines of code. Zen is built to catch this class of attack, SQL injection driven by attacker-controlled input, as the request runs. For teams that can't patch the moment a zero-day drops, that runtime layer holds the line while you deploy the fix on your own schedule.

Patch first. Run Zen, so the next unauthenticated injection has somewhere to stop.

Tracking aulnerabilities with Aikido Intel

This flaw is tracked in Aikido Intel alongside the other WordPress core issues fixed in the same release. Intel is a real-time feed that reads new releases across open-source ecosystems as they publish, WordPress included, and surfaces vulnerabilities and malware within minutes, often before they reach the public CVE databases.

If you already use Intel, the WordPress advisories are in your feed now, so you can follow this one and whatever lands next without watching a dozen sources. The feed is open and free to browse at intel.aikido.dev, and it is available under an open-source license and through a commercial API if you want to pull the data into your own tooling.

Share:

https://www.aikido.dev/blog/unauthenticated-rce-in-wordpress-wp2shell

Scan for malware

Start for Free
4.7/5
Tired of false positives?

Try Aikido like 100k others.
Start Now
Get a personalized walkthrough

Trusted by 100k+ teams

Book Now
Scan your app for IDORs and real attack paths

Trusted by 100k+ teams

Start Scanning
See how AI pentests your app

Trusted by 100k+ teams

Start Testing

Get secure now

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

No credit card required | Scan results in 32secs.