Share
## https://sploitus.com/exploit?id=BF63DA4D-6F4C-5CD6-85DA-AB01FD91C67F
# WP2Shell - WordPress REST API Exploitation Framework
Automated exploitation framework for CVE-2026-63030 (REST API batch endpoint route confusion) and CVE-2026-60137 (SQL injection in WP_Query).
## Features
- **Automated vulnerability detection** via timing-based blind SQL injection
- **Admin user escalation** through batch API endpoint confusion
- **Plugin-based RCE** with persistent webshell deployment
- **State persistence** to resume from any phase
- **Interactive shell** for post-exploitation
## Installation
```bash
cd ~/wp2shell
pip install -r requirements.txt
```
## Usage
```bash
# Test vulnerability
python3 main.py https://target.com
# Full exploitation with command execution
python3 main.py https://target.com -c "whoami"
# Resume from saved state
python3 main.py https://target.com -c "id" # Automatically resumes from phase 5+
```
## Project Structure
```
wp2shell/
โโโ main.py # Entry point
โโโ requirements.txt # Dependencies
โ
โโโ lib/ # Shared utilities
โ โโโ __init__.py
โ โโโ output.py # Terminal output formatting
โ โโโ api.py # API request handling
โ โโโ config.py # SSL/network config
โ
โโโ exploit/ # Exploitation logic
โ โโโ __init__.py
โ โโโ state.py # State persistence
โ โโโ core.py # Main Exploit class
โ โโโ phases.py # Individual phase implementations
โ โโโ shell.py # Interactive webshell client
โ
โโโ README.md
```
## How It Works
1. **Phase 1 - Detection**: Timing-based SQLi detection via batch API
2. **Phase 2 - Injection**: Inject seed post with oembed URLs
3. **Phase 3 - Config**: Extract database configuration
4. **Phase 4 - Escalation**: Create admin user via SQL injection
5. **Phase 5 - Auth**: Authenticate with created credentials
6. **Phase 6 - Deployment**: Upload and activate plugin webshell
7. **Phase 7 - Shell**: Interactive command execution
## State File
Progress is automatically saved to `~/.json`:
```json
{
"phase": 6,
"timestamp": "2026-07-19T00:54:00Z",
"data": {
"username": "Wordpress-System-User",
"password": "P_...",
"webshell_url": "https://target.com/?rest_route=/api/v1/...",
...
}
}
```
Resume automatically by running the script again with the same target.
## Technical Details
### CVE-2026-63030
REST API batch endpoint (`/batch/v1`) route confusion allows unauthenticated SQL injection through `$matches` array desynchronization.
### CVE-2026-60137
`WP_Query` author__not_in parameter vulnerable to type confusion SQLi.
## Disclaimer
For authorized security testing only. Unauthorized access is illegal.