Wire · founder news, decoded · regulatory
WordPress Core "wp2shell" RCE flaws get public exploits, patch now
Critical remote code execution flaws (CVE-2026-63030 and CVE-2026-60137) in WordPress Core versions 6.9.x and 7.0.x can be chained together for unauthenticated RCE; public exploits are now available and WordPress has enabled forced automatic updates.
The Wire takeaway
If you build on WordPress — whether hosted SaaS, agency, or plugin — your entire customer base needs to patch in the next 48 hours or face remote takeover; this is the infrastructure event that forces you to move patch cycles to the top of your roadmap.
Read the full story at bleepingcomputer.com →
Topics: Cybersecurity · Enterprise Software · wordpress-rce · critical-patch · security-incident · rest-api-flaw · sql-injection