WordPress Core 'wp2shell' RCE Vulnerabilities Now Have Public Exploits — Patch Immediately
Public Exploits Are Live for Critical WordPress RCE Flaws
Public exploit code has been released for the "wp2shell" remote code execution vulnerabilities in WordPress Core, according to BleepingComputer. Once proof-of-concept exploits go public, mass automated scanning and exploitation typically follow within hours — this is no longer a theoretical risk.
Why This Matters
WordPress powers roughly 43% of all websites on the internet. RCE vulnerabilities in Core — not a plugin, not a theme, but WordPress itself — represent an unusually wide blast radius. "wp2shell" refers to the class of flaw that lets an unauthenticated or low-privilege attacker execute arbitrary code on the server, effectively handing over full control of the host. With public exploits now circulating, even unsophisticated attackers can weaponize these bugs using off-the-shelf tooling.
If your site is unpatched, assume it is being actively scanned right now. Successful exploitation typically leads to webshell installation, credential harvesting, site defacement, or use of the server as a spam relay or pivot point into your broader infrastructure.
What to Do
1. Patch immediately. Update WordPress Core to the latest patched release. In your WP Admin dashboard: Dashboard → Updates → Update Now. If you manage multiple sites, use WP-CLI:
wp core update
wp core verify-checksums
2. Verify the update took effect. Check wp-includes/version.php or the bottom of the WP Admin dashboard for the current version number and confirm it matches the patched release.
3. Review for indicators of compromise. If there's any chance your site was exposed before patching, audit:
- Recently modified PHP files:
find /var/www -name '*.php' -newer /var/www/wp-config.php - Unknown admin accounts in Users → All Users
- Unexpected cron jobs:
wp cron event list - Access logs for unusual POST requests to
xmlrpc.php,wp-login.php, orwp-admin/
4. Enable auto-updates for Core if you haven't already. Add to wp-config.php:
define('WP_AUTO_UPDATE_CORE', true);
5. Put a WAF in front if possible. Cloudflare, Sucuri, or similar can block known exploit signatures while you coordinate patching across managed sites.
6. Managed/hosted WordPress users: Contact your host immediately if self-service updates aren't available — many hosts are pushing emergency patches, but confirm rather than assume.
There is no reason to wait on this one. Public exploits compress the response window from days to hours.
Synthesized by Claude · sanity-checked before publish.