Technology

The Price of Open Code and the Power of Open Weights

A WordPress hole, Kimi's agent swarm, Xi's Shanghai speech, and India's startup cities all turn on the same question: who controls access, and on whose terms.

Manish Singh/July 18, 2026/5 min read

A single anonymous HTTP request to a stock WordPress site can now run whatever code the sender chooses. No login, no plugins, no clever misconfiguration, just a well-formed POST to an endpoint the software ships enabled by default.

The flaw goes by wp2shell, and the post that sent me down this road gets two things wrong worth fixing before anything else. It says there is no CVE for scanners to match. There is one: CVE-2026-63030 covers the remote code execution chain, and CVE-2026-60137 covers the SQL injection riding alongside it. That line was briefly true at the moment of disclosure, when the technical details were withheld, and then it stopped being true. The attached graphic is the other problem.

Stock illustration reading Pre-Auth RCE in WordPress Core with a generic PHP include and eval code snippet
The image shows an include of a user-supplied file and an eval of user input, which is not how wp2shell works at all. Treat it as decoration, not a diagram of the bug.

The real mechanism is quieter and more interesting. WordPress core lets a client bundle several REST calls into one batch request. Core resolves each sub-request, validates it, then dispatches in a second pass, keeping three parallel lists that must stay index-aligned. Send one deliberately malformed sub-request that fails early, and the error gets recorded in one list but skipped in another. From that point the lists drift out of sync, and every later sub-request gets dispatched against the wrong route's handler, including that route's permission check. Chain that authentication bypass to a SQL injection in the author__not_in parameter of WP_Query, the class that builds nearly every query WordPress issues, and you have code execution. The entry point is /wp-json/batch/v1. It looks exactly like the traffic the block editor sends while you type.

The frightening detail is how young this is. The batch endpoint has shipped since 5.6, but the vulnerable route-confusion code only landed in 6.9, released December 2, 2025. Every affected site is running a build less than eight months old. The widely quoted five hundred million figure is the total WordPress install base, not the vulnerable population. Affected releases are 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1, fixed in 6.9.5 and 7.0.2 on July 17, 2026.

What makes this worth more than a patch note is the paradox underneath it. WordPress is open source, so the fix sits in a public archive next to the broken version, and comparing two releases is the standard route by which a silent patch becomes a working exploit. The researchers at Searchlight who found wp2shell have done this before: when Drupal patched an analogous anonymous SQL injection, they turned the public fix into a same-day teardown with two proofs of concept. Openness hands the defender the truth and the attacker the map in the same commit. Two more tells sharpen the point. The WordPress project force-pushed the update even to sites that had opted out, a measure it treats as a last resort, which says more about severity than any CVSS number. And sites that strip the version string from their homepage, a common hardening step, removed the one passive signal that would flag them as vulnerable. If you run WordPress, patch, verify the version that actually installed, and if you cannot patch immediately, block both /wp-json/batch/v1 and rest_route=/batch/v1 at your firewall, because a rule covering only the first path leaves the query-string route wide open.

Hold that idea, openness cutting both ways, because on the very same day, in Shanghai, openness was being sold as a gift.

Xi Jinping delivered his first in-person keynote at the World AI Conference on July 17, 2026, and warned that unequal access to AI risks creating new historical injustices. He said AI development should not be a solo performance by any single country but a symphony of global cooperation, pledged five thousand AI training opportunities for developing countries over five years, and, in remarks read everywhere as a swipe at American export controls, opposed placing one country's security over that of others. A day earlier, twenty-nine countries had signed to establish the World AI Cooperation Organization, headquartered in Shanghai, its founding members including Brazil, Indonesia, South Africa, Russia and Pakistan, structured deliberately outside the UN system.

An official statement is a claim, not proof, and this one deserves the scrutiny any great power gets by default. The pitch is soft power and standards-setting dressed as generosity, and countries that build on China's open models inherit China's architectures and, potentially, a dependency that looks a lot like the lock-in the West already sells. But the premise Xi is exploiting is real. The UN's own bodies document that a handful of advanced economies capture most of the gains from AI while least-developed countries lack reliable power and connectivity, and in 2023 fifty-six percent of notable general-purpose models came from the United States. You do not have to trust Beijing to notice the divide is genuine, or that a country locked out of Nvidia's top chips has every material reason to make openness its weapon.

The product proof of that strategy is Kimi. Yang Zhilin, Moonshot's founder and a co-author of Transformer-XL and XLNet, laid out the logic at NVIDIA GTC in a talk titled How We Scaled Kimi K2.5, built around three bets: token efficiency, long context, and agent swarms. The swarm is what the bookmark captured as one boss, a thousand workers. Instead of grinding a single agent smarter, an orchestrator spawns specialized sub-agents, decomposes a task, and runs it in parallel. One nuance the viral framing flattens: the reinforcement learning does not train every worker. Under Moonshot's Parallel-Agent RL, only the orchestrator is updated while the sub-agents stay frozen, which sidesteps the credit-assignment mess of end-to-end training. The reward even carries a term that punishes serial collapse, the failure where the boss quietly reverts to doing everything itself. Moonshot reports up to an eighty percent cut in end-to-end runtime, and that number is theirs, not an independent lab's, so weigh it accordingly. The economics only work because cheap long-context decoding lets many agents burn tokens at once.

A separate post about Kimi K3 pushes the philosophy angle harder, and it is half right in a way worth untangling. The verifiable spine is solid. Anthropic paid roughly 1.5 billion dollars in 2025 to settle a class action over books pulled from LibGen and other piracy sites, the largest copyright settlement in US history, while Chinese labs operate under a state-supervised regime with far lighter private-enforcement risk. The alignment tax is a documented effect, with safety tuning shaving measurable points off capability and models over-refusing harmless requests, though Anthropic has also cut unnecessary refusals by forty-five percent, so lobotomized is rhetoric, not a finding. The copy-then-surpass analogy holds up on the numbers: BYD sold 2.26 million battery EVs in 2025 against Tesla's 1.64 million, and the US answered with a hundred percent tariff. Chinese open-weight models went from about 1.2 percent of global usage in late 2024 to nearly thirty percent.

Screenshot of an AI model's reasoning trace describing itself as a Chinese person asked to help and choosing to be practical
A single reasoning trace where Kimi frames itself as a Chinese person and gets straight to the task. Suggestive, but one screenshot is not proof of systematic behavior, and reasoning traces can be unrepresentative.

Where that post overreaches is worth naming plainly. The last-month debacle with the US government that supposedly forced tighter safeguards is never identified and I found no source for it, so it stays speculation. Smarter than ninety-nine percent of humans is marketing, not a benchmark. And the cleanest counterpoint gets skipped entirely: a model that does what you say without asking questions is not an unrestricted model, it is a differently restricted one. Ask a Chinese model about Tiananmen and the handcuffs reappear, just aimed at politics instead of copyright. The honest read is not that one side is free and the other captured. Both are gatekeeping, and the interesting question is who gets to hold the whistle over what counts as a safe or acceptable answer, a question American media volume tends to answer in America's favor.

All of which is leverage, but only for a country that can pick up an open model and run. That is where India comes in, and where the bookmarked hope to see Indian innovation reach its full potential meets the actual state of play.

The claim that India is building startup cities is true, though not in the network-state, charter-city sense the phrase sometimes carries in Silicon Valley. What India is building is state-planned industrial smart cities. The Cabinet approved twelve of them across ten states in August 2024 under the National Industrial Corridor programme, roughly 28,602 crore rupees in outlay. Dholera in Gujarat is the flagship, where Tata Electronics is building the country's first commercial semiconductor fab at around 91,000 crore rupees. GIFT City is the operational financial-services counterpart. These are decades-long megaprojects with uneven execution, so building is ongoing, not done.

The strengths are real and easy to undersell from outside. India is the world's third-largest startup ecosystem, climbed to 39th in the Global Innovation Index in 2024 from 66th in 2019, sits in the global top ten for patents, and is now the third-largest producer of scholarly publications. The bottleneck is not talent, and this is the part that matters most to me. India spends about 0.64 percent of GDP on research and development, far below the two to five percent of the countries it wants to rival, and the weakness is concentrated in almost nonexistent private-sector research and a commercialization valley where early-stage work goes to die. The talent itself has never been the constraint. It leaves. The Indian diaspora builds the frontier in other people's labs, and the 2025 tightening of US visas has only revived the argument about how to keep it home. The new Anusandhan National Research Foundation is the government's attempt to crowd in private money, and it will be judged on execution, not press releases.

This is exactly the hunger Xi's Global South pitch is built to feed. A country with world-class engineers and a starved research budget can grab an open model and skip the compute it cannot afford, which is genuine leverage and also, if it stops there, a genuine dependency. The same openness that let an attacker weaponize a WordPress patch within the day, and let Beijing recast open weights as a gift with strings, is the openness India could use to build its own frontier or merely to rent someone else's.

Openness is never neutral. On July 17 a patch and a speech landed within hours of each other, one exposing how transparency arms whoever moves fastest, the other proving how it can be handed out as strategy wearing the face of charity. The countries and companies playing this game are all holding the same tool and pointing it in different directions, and the ones worth watching are not the ones announcing how open they are, but the ones quietly deciding what stays closed.