{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wordpress-core-6.9.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-63030"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WordPress Core 6.9.0","WordPress Core 6.9.1","WordPress Core 6.9.2","WordPress Core 6.9.3","WordPress Core 6.9.4","WordPress Core 7.0.0","WordPress Core 7.0.1"],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","web-vulnerability","cve"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eOn July 17, 2026, a GitHub Security Advisory was published detailing CVE-2026-63030, a critical unauthenticated remote code execution vulnerability in WordPress Core. This flaw affects WordPress versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The vulnerability allows an unauthenticated attacker to execute arbitrary code by exploiting the WordPress REST API batch endpoint, specifically when a persistent object cache is not in use. This could lead to a complete compromise of the website and its underlying data without requiring any valid account or user interaction. While the vulnerability has a CVSS score of 7.5, its unauthenticated nature and widespread deployment of WordPress elevate its criticality. The issue is fixed in WordPress 6.9.5 and 7.0.2. At the time of publication, no publicly confirmed in-the-wild exploitation has been observed, but given WordPress's open-source nature and the potential for AI analysis, public proof-of-concept exploits are highly anticipated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies public-facing WordPress instances using web scanning tools or open-source intelligence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker determines that the target WordPress instance is running a vulnerable version (6.9.0-6.9.4 or 7.0.0-7.0.1) and that a persistent object cache, which could mitigate the exploit, is not in use.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Crafting\u003c/strong\u003e: The attacker crafts a malicious HTTP POST request, embedding arbitrary code within a specially formatted batch request to the WordPress REST API batch endpoint (e.g., \u003ccode\u003e/wp-json/batch/v1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: The crafted request is sent to the vulnerable WordPress server, targeting the REST API batch endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution\u003c/strong\u003e: The WordPress core, due to CVE-2026-63030, improperly processes the batch request, leading to the execution of the attacker's arbitrary code on the server, exploiting the vulnerable code path enabled by the absence of a persistent object cache.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence and Privilege Escalation\u003c/strong\u003e: The executed code establishes persistence (e.g., dropping a webshell, creating new administrator accounts, modifying WordPress core files) and may attempt to escalate privileges on the underlying host operating system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker gains full control over the WordPress instance and potentially the server, enabling actions such as data exfiltration, website defacement, or using the compromised server as a platform for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-63030 grants an unauthenticated attacker remote code execution capabilities on the vulnerable WordPress server. This directly leads to the complete compromise of the website, its content, and any associated databases. Given that WordPress is the most widely used content management system globally, a large number of public-facing websites are potentially at risk. The impact extends to potential data breaches, website defacement, server-side resource abuse (e.g., for cryptocurrency mining or hosting malicious content), and further lateral movement within an organization's network if the WordPress server has access to internal systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all affected WordPress installations to version \u003cstrong\u003e6.9.5\u003c/strong\u003e or \u003cstrong\u003e7.0.2\u003c/strong\u003e (or 7.1 Beta 2 for the beta branch) to remediate \u003cstrong\u003eCVE-2026-63030\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eVerify that automatic updates for WordPress are active and have successfully applied the necessary patches to all internet-facing instances.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for suspicious POST requests to WordPress REST API batch endpoints (e.g., paths containing \u003ccode\u003e/wp-json/batch/v1\u003c/code\u003e) from unknown or unusual IP addresses, especially around the vulnerability disclosure date.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T22:47:35Z","date_published":"2026-07-17T22:47:35Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wp2shell-rce-wordpress/","summary":"CVE-2026-63030 is a critical unauthenticated remote code execution vulnerability affecting WordPress Core versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1, allowing an unauthenticated attacker to execute arbitrary code via the WordPress REST API batch endpoint, potentially leading to complete website compromise.","title":"CVE-2026-63030: Critical Remote Code Execution Vulnerability in WordPress Core","url":"https://feed.craftedsignal.io/briefs/2026-07-wp2shell-rce-wordpress/"}],"language":"en","title":"CraftedSignal Threat Feed - WordPress Core 6.9.3","version":"https://jsonfeed.org/version/1.1"}