## https://sploitus.com/exploit?id=86EC71B0-3FDB-53E1-A4CA-5A642F759B3F
# CVE-2026-63030: WordPress Pre-Auth RCE Explained
> **๐ Read the full technical analysis first:** [CVE-2026-63030: WordPress Pre-Auth RCE Explained](https://www.arafatops.com/blog/security/cve-2026-63030-wordpress-pre-auth-rce-explained)
>
> This repository contains the proof-of-concept exploit referenced in that article. Start with the blog to understand the vulnerability, limitations, and reproduction process.
---
## Quick Facts
| Aspect | Details |
|--------|---------|
| **Vulnerability** | CVE-2026-63030 (route confusion) + CVE-2026-60137 (SQL injection) |
| **Type** | Pre-authentication Remote Code Execution |
| **CVSS Score** | 9.8 (Critical) |
| **Affected Versions** | WordPress 6.9.0โ6.9.4, 7.0.0โ7.0.1 |
| **Fixed In** | WordPress 6.9.5, 7.0.2+ |
| **Impact** | 500M+ WordPress sites potentially affected |
| **Preconditions** | None โ works on stock WordPress installations |
---
## What's Inside
This repository contains:
- **`wordpress-rest-exploit.py`** โ Single-file Python exploit tool (1,005 lines, no dependencies)
- **`README.md`** โ This file with setup and usage
- **`POC.md`** โ Detailed step-by-step reproduction guide with real examples
- **`LICENSE`** โ MIT License
---
## Understanding the Vulnerability
Before using this exploit, understand the **critical limitation** that makes this vulnerability different from how it's been reported:
### The Gap Between Theory and Practice
The vulnerability chain is real and critical. However:
- โ **Vulnerability detection works perfectly** ( 401]);
}
}
return $response;
}, 10, 1);
```
### For Security Researchers
1. **Understand the limitation:** Custom table prefixes block automated exploitation
2. **Determine the prefix:** Use direct access, brute-force, or ask the client
3. **Plan accordingly:** Budget 30+ minutes for blind SQLi if prefix is unknown
4. **Have credentials:** Admin password cracking may take hours (GPU-accelerated)
---
## Key Insights
| Finding | Impact |
|---------|--------|
| Vulnerability detection works perfectly | Easy to identify affected sites |
| SQL injection is reliable | Database access is guaranteed (if prefix known) |
| Table prefix is the bottleneck | 70% of production sites are protected |
| Blind SQLi is slow | 30+ minutes for complete extraction |
| Post-auth RCE works seamlessly | Full system compromise once authenticated |
| Pre-auth RCE undisclosed | Searchlight Cyber didn't release the technique |
---
## Legal
**For authorized security testing only.** Use exclusively against systems you own or have explicit written permission to test. No warranty is provided and no liability is accepted for misuse.
---
## References
- **Blog Article:** [CVE-2026-63030: WordPress Pre-Auth RCE Explained](https://www.arafatops.com/blog/security/cve-2026-63030-wordpress-pre-auth-rce-explained)
- **Step-by-Step Guide:** [POC.md](POC.md)
- **Searchlight Cyber Advisory:** https://slcyber.io/research-center/wp2shell-pre-authentication-rce-in-wordpress-core/
- **Vulnerability Checker:** https://wp2shell.com/
- **WordPress 7.0.2 Release:** https://wordpress.org/news/2026/07/wordpress-7-0-2-release/
- **NVD CVE-2026-63030:** https://nvd.nist.gov/vuln/detail/CVE-2026-63030
- **NVD CVE-2026-60137:** https://nvd.nist.gov/vuln/detail/CVE-2026-60137
---
## About This Project
**Research & Development:** [Easin Arafat](https://arafatops.com/)
**GitHub:** [@mrx-arafat](https://github.com/mrx-arafat)
**Website:** [arafatops.com](https://arafatops.com/)
This proof-of-concept demonstrates the WordPress wp2shell vulnerability chain with practical exploitation techniques, vulnerability detection, and real-world testing results. Start with the blog article to understand the full context.
---
**Last Updated:** July 2026
**License:** MIT