Share
## https://sploitus.com/exploit?id=86EC71B0-3FDB-53E1-A4CA-5A642F759B3F
# CVE-2026-63030: WordPress Pre-Auth RCE Explained

> **๐Ÿ“– Read the full technical analysis first:** [CVE-2026-63030: WordPress Pre-Auth RCE Explained](https://www.arafatops.com/blog/security/cve-2026-63030-wordpress-pre-auth-rce-explained)
> 
> This repository contains the proof-of-concept exploit referenced in that article. Start with the blog to understand the vulnerability, limitations, and reproduction process.

---

## Quick Facts

| Aspect | Details |
|--------|---------|
| **Vulnerability** | CVE-2026-63030 (route confusion) + CVE-2026-60137 (SQL injection) |
| **Type** | Pre-authentication Remote Code Execution |
| **CVSS Score** | 9.8 (Critical) |
| **Affected Versions** | WordPress 6.9.0โ€“6.9.4, 7.0.0โ€“7.0.1 |
| **Fixed In** | WordPress 6.9.5, 7.0.2+ |
| **Impact** | 500M+ WordPress sites potentially affected |
| **Preconditions** | None โ€” works on stock WordPress installations |

---

## What's Inside

This repository contains:

- **`wordpress-rest-exploit.py`** โ€” Single-file Python exploit tool (1,005 lines, no dependencies)
- **`README.md`** โ€” This file with setup and usage
- **`POC.md`** โ€” Detailed step-by-step reproduction guide with real examples
- **`LICENSE`** โ€” MIT License

---

## Understanding the Vulnerability

Before using this exploit, understand the **critical limitation** that makes this vulnerability different from how it's been reported:

### The Gap Between Theory and Practice

The vulnerability chain is real and critical. However:

- โœ… **Vulnerability detection works perfectly** ( 401]);
           }
       }
       return $response;
   }, 10, 1);
   ```

### For Security Researchers

1. **Understand the limitation:** Custom table prefixes block automated exploitation
2. **Determine the prefix:** Use direct access, brute-force, or ask the client
3. **Plan accordingly:** Budget 30+ minutes for blind SQLi if prefix is unknown
4. **Have credentials:** Admin password cracking may take hours (GPU-accelerated)

---

## Key Insights

| Finding | Impact |
|---------|--------|
| Vulnerability detection works perfectly | Easy to identify affected sites |
| SQL injection is reliable | Database access is guaranteed (if prefix known) |
| Table prefix is the bottleneck | 70% of production sites are protected |
| Blind SQLi is slow | 30+ minutes for complete extraction |
| Post-auth RCE works seamlessly | Full system compromise once authenticated |
| Pre-auth RCE undisclosed | Searchlight Cyber didn't release the technique |

---

## Legal

**For authorized security testing only.** Use exclusively against systems you own or have explicit written permission to test. No warranty is provided and no liability is accepted for misuse.

---

## References

- **Blog Article:** [CVE-2026-63030: WordPress Pre-Auth RCE Explained](https://www.arafatops.com/blog/security/cve-2026-63030-wordpress-pre-auth-rce-explained)
- **Step-by-Step Guide:** [POC.md](POC.md)
- **Searchlight Cyber Advisory:** https://slcyber.io/research-center/wp2shell-pre-authentication-rce-in-wordpress-core/
- **Vulnerability Checker:** https://wp2shell.com/
- **WordPress 7.0.2 Release:** https://wordpress.org/news/2026/07/wordpress-7-0-2-release/
- **NVD CVE-2026-63030:** https://nvd.nist.gov/vuln/detail/CVE-2026-63030
- **NVD CVE-2026-60137:** https://nvd.nist.gov/vuln/detail/CVE-2026-60137

---

## About This Project

**Research & Development:** [Easin Arafat](https://arafatops.com/)  
**GitHub:** [@mrx-arafat](https://github.com/mrx-arafat)  
**Website:** [arafatops.com](https://arafatops.com/)

This proof-of-concept demonstrates the WordPress wp2shell vulnerability chain with practical exploitation techniques, vulnerability detection, and real-world testing results. Start with the blog article to understand the full context.

---

**Last Updated:** July 2026  
**License:** MIT