# New WordPress ‘wp2shell’ Flaw Lets Anonymous Attackers Seize Sites, Raising Global Web Security Risk

*Saturday, July 18, 2026 at 8:07 AM UTC — Hamer Intelligence Services Desk*

**Published**: 2026-07-18T08:07:35.536Z (4h ago)
**Category**: cyber | **Region**: Global
**Importance**: 7/10
**Sources**: OSINT
**Permalink**: https://hamerintel.com/data/articles/11552.md
**Source**: https://hamerintel.com/summaries

---

**Deck**: A newly detailed ‘wp2shell’ vulnerability chain in WordPress core now has two assigned CVEs and a working public exploit, allowing unauthenticated attackers to execute code on affected sites. With WordPress powering a huge share of government, media and commerce pages worldwide, the flaw turns routine content management into a serious attack surface.

A critical new vulnerability chain in WordPress core is putting millions of websites at risk of silent takeover, as security researchers warn that publicly available code now allows anonymous attackers to gain full control of affected installations. The flaw, dubbed “wp2shell,” has been assigned two separate CVE identifiers and enables unauthenticated code execution when chained, turning one of the world’s most widely used content-management systems into a potent entry point for cyber intrusions.

According to technical disclosures published on 18 July, the wp2shell issue encompasses two distinct but related weaknesses. The first, tracked as CVE‑2026‑63030, breaks WordPress’ REST batch routing mechanism, while the second, CVE‑2026‑60137, allows SQL injection. When combined, the vulnerabilities allow a remote, unauthenticated attacker to escalate from crafted web requests to full code execution on the underlying server—effectively turning a public-facing website into a beachhead for deeper network compromise.

What makes this development particularly dangerous is not only the severity of the vulnerabilities but the speed with which a working proof-of-concept has been released. Researchers have already published exploit code that demonstrates how to chain the routing break and SQL injection into a reliable attack path. Because the flaws sit in WordPress core functions, they potentially affect a broad range of sites regardless of which theme or plugin stack they use, complicating defenders’ efforts to triage exposure.

For the administrators who quietly keep government portals, media sites and small business storefronts running on WordPress, the implications are sobering. A successful wp2shell exploit does not just deface a homepage; it can let attackers upload backdoors, steal databases containing user credentials and personal information, or pivot into internal systems connected to the same server. Many organizations that rely on managed hosting or outsourced development may not even be aware of exactly which versions of core software they are running, leaving them dependent on vendors to move quickly.

The strategic significance lies in WordPress’ ubiquity. Estimates vary, but the platform is thought to power a large fraction of the world’s websites, including thousands of official government and educational domains, as well as critical news and humanitarian outlets in conflict zones. A vulnerability that provides anonymous code execution against such a wide installed base is attractive not only to criminal ransomware groups, but also to state‑aligned actors looking for persistent access, disinformation platforms, or staging grounds for further operations.

For threat actors, wp2shell reduces the cost of high‑impact operations. Rather than relying on phishing campaigns or zero‑day browser exploits, an attacker can scan the internet for WordPress installations, test for the vulnerable configuration, and automatically deploy payloads. Compromised sites can then be used as command‑and‑control nodes, malware distribution points, or silent redirectors in influence campaigns—often without immediate detection if changes are subtle and logs are poorly monitored.

The key insight from this episode is that the world’s digital public square rests on a relatively small number of shared software foundations, and when cracks appear in those foundations, the potential blast radius is global. A flaw in a blogging platform can quickly become a vulnerability in election information sites, aid organization portals, and critical infrastructure dashboards if left unpatched.

What happens next will depend on how quickly the WordPress core team issues updates, how fast hosting providers and site owners apply them, and whether large-scale exploitation campaigns begin to surface in threat intelligence feeds. Indicators to watch include the appearance of wp2shell in automated exploit kits, spikes in suspicious traffic targeting WordPress REST endpoints, and any reports of coordinated compromises of media, government or NGO sites linked back to this vulnerability chain. If attackers move faster than defenders, wp2shell could shift from a technical curiosity to a central feature of the global cyber threat landscape in a matter of days.
