Public exploits have been released for the critical "wp2shell" remote code execution vulnerabilities affecting WordPress Core, making it imperative that administrators patch their sites immediately.

The wp2shell attack consists of two flaws, tracked as CVE-2026-63030 and CVE-2026-60137, that can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x.

The flaws were discovered by Adam Kues of Searchlight Cyber, which says an unauthenticated attacker can exploit them against a default WordPress installation.

"Searchlight Cyber's security research team has discovered a pre-authentication RCE in WordPress Core," explained Searchlight Cyber.

"The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins."