Critical

Attackers Can Take Over WordPress Sites Using Newly Released wp2shell Exploits

Security Affairs
Actively Exploited

Overview

Recent discoveries have revealed serious vulnerabilities in WordPress, specifically two flaws tracked as CVE-2026-63030 and CVE-2026-60137. These vulnerabilities, known as wp2shell, can be exploited by attackers to execute code remotely without needing authentication. This means that anyone with these vulnerabilities can potentially take control of a WordPress site, particularly those running default configurations. The availability of public proof-of-concept exploits raises the urgency for website owners to address these flaws promptly, as they are now at greater risk of being targeted by malicious actors. It’s critical for users to be aware of these vulnerabilities and take immediate action to secure their sites.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: WordPress Core, default installations of WordPress.
  • Action Required: Website owners should update their WordPress installations to the latest version to mitigate these vulnerabilities.
  • Timeline: Newly disclosed

Original Article Summary

Public exploits are now available for two critical WordPress flaws that attackers can chain to gain remote code execution without authentication. Public proof-of-concept exploits are now available for the critical wp2shell vulnerabilities affecting WordPress Core. The flaws, tracked as CVE-2026-63030 and CVE-2026-60137, can be chained to achieve pre-authentication remote code execution on default WordPress installations […]

Impact

WordPress Core, default installations of WordPress.

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Website owners should update their WordPress installations to the latest version to mitigate these vulnerabilities. Regularly monitoring for updates and applying security patches as they become available is also recommended.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to CVE, Vulnerability, Critical.

Related Coverage

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 106

Security Affairs

The latest Malware Newsletter from Security Affairs includes several notable malware threats. One of these is CrashStealer, a C++ infostealer for macOS that masquerades as a crash reporter, targeting users to extract sensitive information. Another threat, Lucide Proxy, is exploiting student web proxies to create DDoS bots, potentially impacting educational institutions. Additionally, the AsyncAPI npm organization has been compromised, affecting about 2 million weekly downloads, which raises concerns for developers relying on these packages. Lastly, OkoBot is a sophisticated malware framework specifically designed to target cryptocurrency users, highlighting the ongoing risks in the digital currency space. These developments illustrate the evolving tactics of cybercriminals and the need for users and organizations to stay vigilant.

Jul 19, 2026

Security Affairs newsletter Round 586 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs

The latest Security Affairs newsletter reports on two significant cybersecurity issues. First, OpenSSL has addressed a vulnerability known as the HollowByte memory exhaustion bug, which could lead to service disruptions. Users of OpenSSL, particularly those running servers or applications that rely on this library, should ensure they update to the latest version to avoid potential downtime or denial-of-service attacks. Additionally, researchers have discovered Daxin, a malware that has been linked to China, still active on a manufacturer's network despite being over a decade old. This finding raises concerns about the long-term persistence of such malware and its ability to evade detection. Companies must remain vigilant and conduct thorough network security assessments to identify and eliminate such threats.

Jul 19, 2026

Hackers abuse ViPNet software to target Russian govt agencies

BleepingComputer

Hackers are exploiting the update mechanism of the ViPNet software, a private networking solution, to target Russian government agencies and other organizations. This sophisticated attack has raised concerns about the security of critical infrastructure in Russia, as ViPNet is widely used by various state entities. Researchers have identified the malicious activity, which indicates a significant threat to the integrity of communications within these agencies. The ability to manipulate software updates poses serious risks, as it could allow attackers to gain unauthorized access or disrupt operations. This incident underscores the need for heightened security measures and vigilance among users of ViPNet and similar products.

Jul 19, 2026

SonicWall SMA Zero-Days Exploited Before Disclosure to Gain Root Access

The Hacker News

A new threat actor, identified as UTA0533, has been exploiting zero-day vulnerabilities in SonicWall's Secure Mobile Access (SMA) 1000 series VPN appliances before these issues were publicly disclosed. This activity has been tracked since June 22, 2026, and was uncovered during an incident response investigation by cybersecurity firm Volexity. The attackers gained root access to systems, raising serious concerns about the security of organizations using these VPN appliances. This incident is particularly alarming as it highlights the potential risks associated with undisclosed vulnerabilities, which can be exploited by malicious actors before users have a chance to protect themselves. Organizations using SonicWall SMA appliances should be vigilant and prepare for potential impacts from these vulnerabilities.

Jul 19, 2026

Week in review: High severity WordPress vulnerabilities, fake OAuth IDs bypass sign-in logs

Help Net Security

Last week, two high severity vulnerabilities were discovered in WordPress that require immediate attention from users and site administrators. The 7.0.2 security release addresses one critical issue along with a high severity problem, both of which could potentially expose websites to serious risks. WordPress users are urged to update their installations promptly to protect against possible exploitation. Additionally, there was a mention of an open-source research agent that poses risks when it interacts with live cloud accounts, emphasizing the importance of securing credentials. These vulnerabilities serve as a reminder of the ongoing need for vigilance in website security.

Jul 19, 2026

Update now: 7-Zip fixes RCE flaw exploitable with malicious archives

BleepingComputer

7-Zip has released version 26.02 to address a serious remote code execution (RCE) vulnerability. This flaw allows attackers to execute malicious code on users' systems if they open specially crafted compressed files. Users of 7-Zip should update to the latest version to protect themselves from potential exploitation. The vulnerability is particularly concerning as it could be exploited easily by tricking users into opening harmful files. Keeping software up to date is crucial in maintaining security and preventing such attacks.

Jul 18, 2026