<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>WordPress Core 7.0.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/wordpress-core-7.0.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 22:47:35 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/wordpress-core-7.0.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-63030: Critical Remote Code Execution Vulnerability in WordPress Core</title><link>https://feed.craftedsignal.io/briefs/2026-07-wp2shell-rce-wordpress/</link><pubDate>Fri, 17 Jul 2026 22:47:35 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wp2shell-rce-wordpress/</guid><description>CVE-2026-63030 is a critical unauthenticated remote code execution vulnerability affecting WordPress Core versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1, allowing an unauthenticated attacker to execute arbitrary code via the WordPress REST API batch endpoint, potentially leading to complete website compromise.</description><content:encoded><![CDATA[<p>On July 17, 2026, a GitHub Security Advisory was published detailing CVE-2026-63030, a critical unauthenticated remote code execution vulnerability in WordPress Core. This flaw affects WordPress versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. The vulnerability allows an unauthenticated attacker to execute arbitrary code by exploiting the WordPress REST API batch endpoint, specifically when a persistent object cache is not in use. This could lead to a complete compromise of the website and its underlying data without requiring any valid account or user interaction. While the vulnerability has a CVSS score of 7.5, its unauthenticated nature and widespread deployment of WordPress elevate its criticality. The issue is fixed in WordPress 6.9.5 and 7.0.2. At the time of publication, no publicly confirmed in-the-wild exploitation has been observed, but given WordPress's open-source nature and the potential for AI analysis, public proof-of-concept exploits are highly anticipated.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance</strong>: An attacker identifies public-facing WordPress instances using web scanning tools or open-source intelligence.</li>
<li><strong>Vulnerability Identification</strong>: The attacker determines that the target WordPress instance is running a vulnerable version (6.9.0-6.9.4 or 7.0.0-7.0.1) and that a persistent object cache, which could mitigate the exploit, is not in use.</li>
<li><strong>Payload Crafting</strong>: The attacker crafts a malicious HTTP POST request, embedding arbitrary code within a specially formatted batch request to the WordPress REST API batch endpoint (e.g., <code>/wp-json/batch/v1</code>).</li>
<li><strong>Initial Access</strong>: The crafted request is sent to the vulnerable WordPress server, targeting the REST API batch endpoint.</li>
<li><strong>Code Execution</strong>: The WordPress core, due to CVE-2026-63030, improperly processes the batch request, leading to the execution of the attacker's arbitrary code on the server, exploiting the vulnerable code path enabled by the absence of a persistent object cache.</li>
<li><strong>Persistence and Privilege Escalation</strong>: The executed code establishes persistence (e.g., dropping a webshell, creating new administrator accounts, modifying WordPress core files) and may attempt to escalate privileges on the underlying host operating system.</li>
<li><strong>Impact</strong>: The attacker gains full control over the WordPress instance and potentially the server, enabling actions such as data exfiltration, website defacement, or using the compromised server as a platform for further attacks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-63030 grants an unauthenticated attacker remote code execution capabilities on the vulnerable WordPress server. This directly leads to the complete compromise of the website, its content, and any associated databases. Given that WordPress is the most widely used content management system globally, a large number of public-facing websites are potentially at risk. The impact extends to potential data breaches, website defacement, server-side resource abuse (e.g., for cryptocurrency mining or hosting malicious content), and further lateral movement within an organization's network if the WordPress server has access to internal systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade all affected WordPress installations to version <strong>6.9.5</strong> or <strong>7.0.2</strong> (or 7.1 Beta 2 for the beta branch) to remediate <strong>CVE-2026-63030</strong>.</li>
<li>Verify that automatic updates for WordPress are active and have successfully applied the necessary patches to all internet-facing instances.</li>
<li>Review web server access logs for suspicious POST requests to WordPress REST API batch endpoints (e.g., paths containing <code>/wp-json/batch/v1</code>) from unknown or unusual IP addresses, especially around the vulnerability disclosure date.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">threat</category><category>wordpress</category><category>rce</category><category>web-vulnerability</category><category>cve</category></item></channel></rss>