## https://sploitus.com/exploit?id=3DB95A2E-FA0E-5CC8-8D70-C8C042C40615
Unauthenticated pre-auth RCE PoC for the WordPress wp2shell chain (CVE-2026-63030 + CVE-2026-60137), affecting WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1 on a fully default install.
It abuses a REST batch array misalignment to reach a WP_Query SQL injection, then poisons the object cache to forge an admin account and deploy a webshell, no non-default MySQL config required.
Original discovery by Adam Kues and Patrik Grobshäuser at Assetnote/Searchlight Cyber; this PoC was built with Claude.
```bash
python3 wp2shell.py http://target/ --cmd "id"
```
Technical writeup at https://yoerivegt.com/wp2shell/