Critical wp2shell RCE in WordPress core requires patch
🔒 Public proof-of-concept exploits have been released for the critical "wp2shell" pre-authentication remote code execution chain affecting WordPress Core. The attack combines two flaws, CVE-2026-63030 and CVE-2026-60137, impacting WordPress 6.9.x and 7.0.x, prompting forced auto-updates to versions 6.9.5 and 7.0.2. Administrators are urged to patch immediately or apply temporary WAF/REST API mitigations while updates are applied.