HIGH: WordPress Core 'wp2shell' Pre-Auth RCE Chain Gets Public Exploits (CVE-2026-63030)
A pre-authentication RCE chain in WordPress core, nicknamed wp2shell, chains CVE-2026-63030 (REST API batch route confusion) with CVE-2026-60137 (a core SQL injection) to run code on a stock install with no login and no plugins. Working exploit code is public. Patch to 6.9.5, 7.0.2, or 6.8.6 now.