What wp2shell actually does
When Adam Kues at Assetnote sent a specially crafted request to a stock WordPress install, the server ran his code. No account, no password, no plugin, no unusual setting. The researchers named the chain wp2shell, WordPress assigned it CVE-2026-63030, and both parties rated it critical.
The exploit strings together two weaknesses in the REST API batch route: a request-routing confusion that lets an unauthenticated caller reach code paths meant to be gated, and a SQL injection reachable through it. Chained, they turn an anonymous HTTP request into remote code execution, the most severe outcome a web flaw can have.
Why the automatic patch is not the finish line
WordPress shipped 6.9.5 and 7.0.2 on 17 July 2026 and, given the severity, forced the updates onto affected sites rather than waiting for owners to click. That is the right call, and most sites are now closed. It also hides the harder question.
A pre-authentication flaw means anyone on the internet could have used it before you patched, and installing the fix does not reverse that. If your site was reachable and unpatched during the exposure window, the update removed the door but not whatever walked through it: a planted admin user, a scheduled task, a webshell in the uploads folder.
Why nearly every site owner is in scope
This lived in core, the software every WordPress site runs, so exposure did not depend on a niche plugin or theme. WordPress powers close to 40 percent of the web, which is why a single core flaw of this class is a mass event rather than a niche one.
Versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 were vulnerable to wp2shell. The second bug, an SQL injection in the author__not_in parameter of WP_Query rated CVSS 9.1, reaches back to 6.8, so a site that skipped updates for a few months carried the larger exposure window of the two.
What EU rules turn this into
For a European business the flaw is not only technical. If personal data sits behind that site, the GDPR gives you 72 hours to notify your supervisory authority once you become aware of a breach, and 'we cannot rule it out' is closer to awareness than to comfort.
For essential and important entities under NIS2, an incident of this severity carries its own early-warning and reporting clock, and regulators increasingly expect evidence of detection, not just a patch log. A forced auto-update is a defence you did not choose; the record of whether you then checked for compromise is the one you control.
The check that has to happen now
Confirm the site is on 6.9.5 or 7.0.2, then treat the exposure window as the real work. Review admin accounts and application passwords created in July, inspect scheduled tasks and recently modified PHP files, and pull web-server logs for unusual POST requests to the REST API around the disclosure date.
If you run managed WordPress, ask your host in writing when the patch landed and whether they saw exploitation attempts against your site. The honest answer to 'were we hit' is rarely instant, but the owners who ask this week are the ones who will not be explaining a silent breach next quarter.
Read next: A Bricked Building Costs More Than a Ransom | Your Sandbox Was Attacked a Month Before the Warning



