{"id":9181,"date":"2026-07-18T09:07:21","date_gmt":"2026-07-18T09:07:21","guid":{"rendered":"https:\/\/locaterisk.com\/de\/?p=9181"},"modified":"2026-07-18T09:07:21","modified_gmt":"2026-07-18T09:07:21","slug":"wordpress-core-rce-wp2shell-6-9-7-0","status":"publish","type":"post","link":"https:\/\/locaterisk.com\/en\/wordpress-core-rce-wp2shell-6-9-7-0\/","title":{"rendered":"Critical RCE Vulnerability in WordPress Core (CVE-2026-63030)"},"content":{"rendered":"<div class=\"wp-block-lr-blog-article-header-module\">\r\n    <div class=\"content\">\r\n\t\t<div class=\"headline\">\r\n\t\t\t<button class=\"to-blog-button\">Back to Blog                <a href=\"https:\/\/locaterisk.com\/en\/blog\/\"><\/a>\r\n\t\t\t<\/button>\r\n\t\t\t\t\t<\/div>\r\n        <div class=\"main-content\">\r\n\t\t\t\t\t\t<!--\r\n            <div class=\"header\">\r\n                <h6> <\/h6>\r\n            <\/div>\r\n\t\t\t\t\t\t-->\r\n            <h1 class=\"title\">Critical RCE Vulnerability in WordPress Core (CVE-2026-63030)<\/h1>\r\n            <p class=\"paragraph\"><br><span class=\"lr-ai-disclosure\" style=\"display:block;margin:8px 0 28px;font-size:14px;line-height:1.4;color:#8b93a7;font-family:inherit;font-style:italic;\">This text was generated using artificial intelligence (AI).<\/span>On July 17, 2026, a critical security vulnerability was disclosed in the core of the WordPress content management system. The vulnerability, classified as <strong>CVE-2026-63030<\/strong>, allows attackers to execute arbitrary code (Remote Code Execution, RCE) on affected servers. An official CVSS score had not yet been assigned by NVD\/MITRE at the time of publication; Cloudflare classifies the vulnerability in its analysis as <strong>Critical<\/strong> . Since the attack does not require authentication and, according to Cloudflare, is successful against installations without a persistent object cache, it poses a significant risk to WordPress website operators.<br><br>The security vulnerability, also known as \u201ewp2shell,\u201c is the result of a chain of two vulnerabilities: a \u201ebatch route confusion\u201c in the REST API and an SQL injection vulnerability (<strong>CVE-2026-60137<\/strong>). Due to the high severity of this vulnerability, the WordPress security team has enabled a forced automatic update for affected installations\u2014a measure that is only taken in the case of serious threats.<\/p>\r\n        <\/div>\r\n    <\/div>\r\n<\/div>\r\n\r\n\r\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"400\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability.png\" alt=\"Kritische RCE-L\u00fccke in WordPress Core (CVE-2026-63030)\" class=\"wp-image-9139\" srcset=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability.png 400w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability-300x300.png 300w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability-150x150.png 150w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability-12x12.png 12w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Technical Background and Attack Sequence<\/strong><\/h2>\n\n\n\n<p>The point of attack is the publicly accessible endpoint <strong>\/wp-json\/batch\/v1<\/strong> the WordPress REST API. A logic error in the processing routine for bundled requests in the file <strong>class-wp-rest-server.php<\/strong> allows bypassing internal route validation. This enables attackers to send requests to internal API functions that normally require authentication.<\/p>\n\n\n\n<p>In a second step, this unauthorized access is exploited to target an SQL injection vulnerability in the file <strong>class-wp-query.php<\/strong> to exploit. This allows manipulated SQL commands to be injected into and executed by the database, ultimately leading to the complete compromise of the system through remote code execution.<\/p>\n\n\n\n<p>The vulnerability was reported by Adam Kues (Searchlight Cyber) as part of a responsible disclosure process. The associated SQL injection was discovered by a team consisting of TF1T, dtro, and haongo.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Affected Versions and Recommended Actions<\/strong><\/h2>\n\n\n\n<p>All WordPress website operators need to take immediate action. The primary step is to update to a secure version.<\/p>\n\n\n\n<p><strong>Versions affected by the RCE vulnerability (CVE-2026-63030):<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WordPress 6.9.0 through 6.9.4<\/li>\n\n\n\n<li>WordPress 7.0.0 through 7.0.1<\/li>\n<\/ul>\n\n\n\n<p><strong>Versions affected by the SQL injection vulnerability (CVE-2026-60137):<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WordPress 6.8.0 through 6.8.5<\/li>\n<\/ul>\n\n\n\n<p><strong>Immediate measures:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Update to version <a href=\"https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/\" target=\"_blank\" rel=\"noreferrer noopener\">7.0.2<\/a>:<\/strong> Fixes both vulnerabilities.<\/li>\n\n\n\n<li><strong>Update to Version 6.9.5:<\/strong> Fixes both vulnerabilities for the 6.9.x branch.<\/li>\n\n\n\n<li><strong>Update to Version 6.8.6:<\/strong> Fixes the SQL injection vulnerability for the 6.8.x branch.<\/li>\n<\/ul>\n\n\n\n<p><strong>Short-term mitigation (if an update isn't possible right away):<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Blocking the Path <strong>\/wp-json\/batch\/v1<\/strong> as well as <strong>?rest_route=\/batch\/v1<\/strong> via a Web Application Firewall (WAF).<\/li>\n\n\n\n<li>Temporarily disable the WordPress REST API if it is not absolutely necessary.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Relevance for Companies in Germany, Austria, and Switzerland and Compliance<\/strong><\/h2>\n\n\n\n<p>WordPress is one of the most widely used platforms worldwide\u2014and the potential impact in the DACH region is correspondingly significant. Companies that use WordPress for public websites, customer portals, or internal microsites should immediately verify whether their installations are up to date with the latest patches. If personal data has been compromised as a result of exploitation of the vulnerability, the reporting obligation under GDPR Article 33 applies (72-hour deadline to notify the competent supervisory authority). For operators subject to the NIS 2 Directive, a successful attack may also trigger reporting obligations under Article 23 of NIS 2. The BSI generally recommends installing available security updates for exposed web applications without delay.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Visibility as the Foundation for Cybersecurity and Compliance<\/strong><\/h2>\n\n\n\n<p>Vulnerabilities such as <strong>CVE-2026-63030<\/strong> highlight the need for a comprehensive and up-to-date overview of all externally accessible IT systems. An External Attack Surface Management (EASM) platform like LocateRisk automatically maps an organization\u2019s entire attack surface. This includes not only the company\u2019s primary website but also often-overlooked shadow IT systems, such as forgotten marketing blogs, test environments, or microsites, which may also be running on a vulnerable version of WordPress.<\/p>\n\n\n\n<p>By precisely identifying the software versions in use, security teams can secure affected systems in a targeted manner and without delay. This process is an essential component of risk management and supports compliance with regulatory requirements and standards such as NIS-2 or ISO 27001, which require active vulnerability management.<\/p>\n\n\n\n<p>In addition, monitoring service providers as part of vendor risk management (VRM) is crucial. If an external agency operates a WordPress site for your company, any security vulnerability on their end becomes your risk. LocateRisk supports the continuous assessment of suppliers\u2019 security posture and helps determine whether their systems also meet applicable compliance requirements. The platform is hosted in certified German data centers and helps customers comply with GDPR requirements.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Sources and further information<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>WordPress.org Security Release (official):<\/strong> <a href=\"https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/<\/a><\/li>\n\n\n\n<li><strong>Cloudflare Analysis:<\/strong> <a href=\"https:\/\/blog.cloudflare.com\/wordpress-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/blog.cloudflare.com\/wordpress-vulnerabilities\/<\/a><\/li>\n\n\n\n<li><strong>The Hacker News report:<\/strong> <a href=\"https:\/\/thehackernews.com\/2026\/07\/new-wp2shell-wordpress-core-flaw-lets.html\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/thehackernews.com\/2026\/07\/new-wp2shell-wordpress-core-flaw-lets.html<\/a><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-lr-faq-module\"><div class=\"content\"><h3><strong>Frequently asked questions<\/strong><\/h3><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Which versions of WordPress are affected by the RCE vulnerability CVE-2026-63030?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">The remote code execution (RCE) vulnerability affects WordPress versions 6.9.0 through 6.9.4, as well as versions 7.0.0 and 7.0.1. WordPress installations prior to version 6.9.0 are not affected by the RCE vulnerability.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Is my WordPress 6.8 installation secure against CVE-2026-63030?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">Yes, your installation is not affected by the RCE vulnerability. However, it is vulnerable to the associated SQL injection vulnerability. <strong>CVE-2026-60137<\/strong>. An update to version <strong>6.8.6<\/strong> is strongly recommended.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Is there already a patch for CVE-2026-63030?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">Yes, the WordPress team released security updates on July 17, 2026. Depending on your current version, you should update to <strong>WordPress 7.0.2<\/strong>, <strong>6.9.5<\/strong> or <strong>6.8.6<\/strong> Update. WordPress has also enabled forced automatic updates for affected versions.<\/p><\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-lr-contact-post-module\">\n\t<div id=\"lr-contact-form\" class=\"wp-block-lr-contact-post-module\">\n\t\t<div id=\"formular\" class=\"content\">\n\t\t\t<div class=\"inner-content\">\n\t\t\t\t<div class=\"column-2 feature-mode\">\n\t\t\t\t\t<h2><br>Request your personal Live-Demo now<\/h2>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t<div>\n\t\t\t\t\t\t\t\t<p class=\"margin-b-36\">Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.<\/p>\n\t\t\t\t\t\t\t<\/div>\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div> \n\t\t\t\t<div class=\"column-2\">\n\t\t\t\t\t<form action=\"\" class=\"form\" method=\"post\" role=\"form\" novalidate data-trp-original-action=\"\">\n\t\t\t\t\t\t<input type=\"text\" id=\"successmessage\" name=\"successmessage\" value=\"Ihre Registrierung war erfolgreich Ihre Anfrage wurde erfolgreich versendet. Wir haben Ihnen soeben eine Best\u00e4tigungsmail mit einem Aktivierungs-Link zugesendet, um einem Missbrauch Ihrer E-Mail Adresse durch Dritte vorzubeugen. Die Mail wird von sales@locaterisk.com versendet und sollte sich i n wenigen Minuten in Ihrem Posteingang finden.\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"errormessage\" name=\"errormessage\" value=\"Da ist wohl etwas schief gelaufen. Bitte probieren Sie es erneut oder nehmen Sie direkt mit uns Kontakt auf\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"slug\" name=\"slug\" value=\"wordpress-core-rce-wp2shell-6-9-7-0\" hidden>\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"name\"\n\t\t\t\t\t\t\t\tname=\"name\"\n\t\t\t\t\t\t\t\tplaceholder=\"first name\"\n\t\t\t\t\t\t\t\trequired\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"surname\"\n\t\t\t\t\t\t\t\tname=\"surname\"\n\t\t\t\t\t\t\t\tplaceholder=\"last name\"\n\t\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"email\"\n\t\t\t\t\t\t\tid=\"email\"\n\t\t\t\t\t\t\tname=\"email\"\n\t\t\t\t\t\t\tplaceholder=\"Email\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\tid=\"phone\"\n\t\t\t\t\t\t\tname=\"phone\"\n\t\t\t\t\t\t\tplaceholder=\"phone\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t<h6 class=\"error-message\" hidden>...<\/h6>\n\t\t\t\t\t\t<div class=\"checkbox_container\">\n\t\t\t\t\t\t\t<div class=\"checkbox\">\n\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\t\ttype=\"checkbox\"\n\t\t\t\t\t\t\t\t\tid=\"checkbox\"\n\t\t\t\t\t\t\t\t\tname=\"checkbox\" \/>\n\n\t\t\t\t\t\t\t\t<label for=\"checkbox\"><\/label>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<p class=\"translation-block\">I agree with the <a href=\"https:\/\/locaterisk.com\/en\/datenschutz\/\" target=\"_self\">privacy policy<\/a>.<\/p> \n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\n\t\t\t\t\t<div class=\"g-recaptcha\" data-sitekey=\"6LdErNoZAAAAAD1Re2jNxtDFfcDaL9iED5MRBzjR\" data-callback=\"verifyRecaptchaCallback\" data-expired-callback=\"expiredRecaptchaCallback\"><\/div>\n\t\t\t\t\t<input type=\"hidden\" name=\"g-recaptcha-response\" data-recaptcha \/>\n\n\t\t\t\t\t\t<button class=\"lr-button-link\" type=\"submit\"> Request a Demo<\/button>\n\t\t\t\t\t<input type=\"hidden\" name=\"trp-form-language\" value=\"en\"\/><\/form>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\t\n\t<\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<div class=\"wp-block-lr-contact-module\"><div class=\"content\"><h2>Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!<\/h2><div class=\"contact-info-row\"><div class=\"contact-person-info\"><div class=\"avatar\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2025\/06\/Lukas_Baumann_LocateRisk-300.png\"><\/div><p><span class=\"text before\">Your personal consultant<\/span><span class=\"bold name\"><strong>Lukas<\/strong><\/span> <span class=\"lastname\"><strong>Baumann<strong><\/strong><\/strong><\/span><strong><strong><span class=\"separator\"><\/span><span class=\"role\">CEO<\/span><\/strong><\/strong><\/p><\/div><p class=\"bold phone\"><strong><strong>+49 6151 6290246<\/strong><\/strong><\/p><strong><strong><a class=\"pr-1\" href=\"mailto: sales@locaterisk.com\">Get in Touch Now<\/a><\/strong><\/strong><\/div><\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-lr-footer-module lr-footer-block\"><div class=\"content\"><div class=\"column0\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/assets\/img\/lr-logo.svg\"\/><\/div><div class=\"categories\"><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/locaterisk.com\/en\/\">Home<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/blog\/\">Blog<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/about\/\">About Us<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/kontakt\/\">Contact<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/impressum\/\">Legal Notice<\/a><\/div><div class=\"categories-break\"><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/datenschutz\/\">Privacy<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/files\/gtc.pdf\">General Terms and Conditions<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/jobs\/\">Jobs<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/app.secfix.com\/trust\/locaterisk\/d1e7d433b33643aea1880bfbfeab9f60\">Trust Center<\/a><\/div><\/div><div class=\"social\"><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/10\/gruppe-230@3x.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Instagram.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/locaterisk\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/twitter.png\"\/><\/a><\/div><\/div><div class=\"description\"><h6>\u00a9 LocateRisk 2026<\/h6><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>A critical vulnerability (CVE-2026-63030) in WordPress Core allows unauthenticated remote code execution. Versions up to 7.0.1 are affected. Action is required.<\/p>","protected":false},"author":13,"featured_media":9139,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[632],"tags":[739,738,113,111,327,666,740],"class_list":["post-9181","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-news","tag-cve-2026-60137","tag-cve-2026-63030","tag-rce","tag-remote-code-execution","tag-wordpress","tag-wordpress-sicherheit","tag-wp2shell"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CVE-2026-63030: Kritische RCE-L\u00fccke in WordPress Core<\/title>\n<meta name=\"description\" content=\"Eine kritische Schwachstelle (CVE-2026-63030) in WordPress Core erm\u00f6glicht unauthentifizierte Remote Code Execution. Betroffen sind Versionen bis 7.0.1. Handlungsbedarf besteht.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/locaterisk.com\/en\/wordpress-core-rce-wp2shell-6-9-7-0\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2026-63030: Kritische RCE-L\u00fccke in WordPress Core\" \/>\n<meta property=\"og:description\" content=\"Eine kritische Schwachstelle (CVE-2026-63030) in WordPress Core erm\u00f6glicht unauthentifizierte Remote Code Execution. Betroffen sind Versionen bis 7.0.1. Handlungsbedarf besteht.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/locaterisk.com\/en\/wordpress-core-rce-wp2shell-6-9-7-0\/\" \/>\n<meta property=\"og:site_name\" content=\"LocateRisk\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-18T09:07:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kristina Hoinkis\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kristina Hoinkis\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/\"},\"author\":{\"name\":\"Kristina Hoinkis\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\"},\"headline\":\"Kritische RCE-L\u00fccke in WordPress Core (CVE-2026-63030)\",\"datePublished\":\"2026-07-18T09:07:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/\"},\"wordCount\":895,\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/third-party-vulnerability.png\",\"keywords\":[\"CVE-2026-60137\",\"CVE-2026-63030\",\"RCE\",\"Remote Code Execution\",\"WordPress\",\"WordPress Sicherheit\",\"wp2shell\"],\"articleSection\":[\"Cybersecurity News\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/\",\"name\":\"CVE-2026-63030: Kritische RCE-L\u00fccke in WordPress Core\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/third-party-vulnerability.png\",\"datePublished\":\"2026-07-18T09:07:21+00:00\",\"description\":\"Eine kritische Schwachstelle (CVE-2026-63030) in WordPress Core erm\u00f6glicht unauthentifizierte Remote Code Execution. Betroffen sind Versionen bis 7.0.1. Handlungsbedarf besteht.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/#primaryimage\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/third-party-vulnerability.png\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/third-party-vulnerability.png\",\"width\":400,\"height\":400,\"caption\":\"third-party-vulnerability\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/wordpress-core-rce-wp2shell-6-9-7-0\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/locaterisk.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kritische RCE-L\u00fccke in WordPress Core (CVE-2026-63030)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"name\":\"LocateRisk\",\"description\":\"IT-Sicherheit messen und vergleichen\",\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\",\"name\":\"LocateRisk\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"LocateRisk\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/locaterisk\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\",\"name\":\"Kristina Hoinkis\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"caption\":\"Kristina Hoinkis\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CVE-2026-63030: Kritische RCE-L\u00fccke in WordPress Core","description":"A critical vulnerability (CVE-2026-63030) in WordPress Core allows unauthenticated remote code execution. Versions up to 7.0.1 are affected. Action is required.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/locaterisk.com\/en\/wordpress-core-rce-wp2shell-6-9-7-0\/","og_locale":"en_US","og_type":"article","og_title":"CVE-2026-63030: Kritische RCE-L\u00fccke in WordPress Core","og_description":"Eine kritische Schwachstelle (CVE-2026-63030) in WordPress Core erm\u00f6glicht unauthentifizierte Remote Code Execution. Betroffen sind Versionen bis 7.0.1. Handlungsbedarf besteht.","og_url":"https:\/\/locaterisk.com\/en\/wordpress-core-rce-wp2shell-6-9-7-0\/","og_site_name":"LocateRisk","article_published_time":"2026-07-18T09:07:21+00:00","og_image":[{"width":400,"height":400,"url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability.png","type":"image\/png"}],"author":"Kristina Hoinkis","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kristina Hoinkis","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/#article","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/"},"author":{"name":"Kristina Hoinkis","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32"},"headline":"Kritische RCE-L\u00fccke in WordPress Core (CVE-2026-63030)","datePublished":"2026-07-18T09:07:21+00:00","mainEntityOfPage":{"@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/"},"wordCount":895,"publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"image":{"@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability.png","keywords":["CVE-2026-60137","CVE-2026-63030","RCE","Remote Code Execution","WordPress","WordPress Sicherheit","wp2shell"],"articleSection":["Cybersecurity News"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/","url":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/","name":"CVE-2026-63030: Kritische RCE-L\u00fccke in WordPress Core","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/#primaryimage"},"image":{"@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability.png","datePublished":"2026-07-18T09:07:21+00:00","description":"A critical vulnerability (CVE-2026-63030) in WordPress Core allows unauthenticated remote code execution. Versions up to 7.0.1 are affected. Action is required.","breadcrumb":{"@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/#primaryimage","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability.png","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/third-party-vulnerability.png","width":400,"height":400,"caption":"third-party-vulnerability"},{"@type":"BreadcrumbList","@id":"https:\/\/locaterisk.com\/de\/wordpress-core-rce-wp2shell-6-9-7-0\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/locaterisk.com\/"},{"@type":"ListItem","position":2,"name":"Kritische RCE-L\u00fccke in WordPress Core (CVE-2026-63030)"}]},{"@type":"WebSite","@id":"https:\/\/locaterisk.com\/de\/#website","url":"https:\/\/locaterisk.com\/de\/","name":"LocateRisk","description":"Measure and compare IT security","publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/locaterisk.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/locaterisk.com\/de\/#organization","name":"LocateRisk","url":"https:\/\/locaterisk.com\/de\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","width":1920,"height":1080,"caption":"LocateRisk"},"image":{"@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/locaterisk\/"]},{"@type":"Person","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32","name":"Kristina Hoinkis","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","caption":"Kristina Hoinkis"}}]}},"_links":{"self":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/comments?post=9181"}],"version-history":[{"count":1,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9181\/revisions"}],"predecessor-version":[{"id":9182,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9181\/revisions\/9182"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media\/9139"}],"wp:attachment":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media?parent=9181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/categories?post=9181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/tags?post=9181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}