Share
## https://sploitus.com/exploit?id=E7D11A43-3433-53EC-B36F-E85D104B549B
# wp2shell
Pre-authentication Remote Code Execution against WordPress Core.
Chains **CVE-2026-60137** (SQLi in `author__not_in` / `author_exclude` parameter of `WP_Query`) with **CVE-2026-63030** (REST API batch-route confusion) for unauthenticated RCE.
## Affected Versions
| Range | Status |
|---|---|
| <= 6.8.5 | Not affected (no batch confusion) |
| 6.8.0 - 6.8.5 | SQLi only, no RCE |
| **6.9.0 - 6.9.4** | **Vulnerable** |
| **7.0.0 - 7.0.1** | **Vulnerable** |
| 7.0.2+ / 6.9.5+ | Patched |
## Usage
```
python3 poc.py -u TARGET_URL
python3 poc.py -u TARGET_URL --sql "SELECT user_pass FROM wp_users LIMIT 1"
python3 poc.py -u TARGET_URL -c "id"
```
### Modes
| Arguments | Behavior |
|---|---|
| `-u TARGET_URL` | Check if vulnerable (timing probe) |
| `-u TARGET_URL --sql "SQL"` | Extract scalar via blind SQLi |
| `-u TARGET_URL -c "CMD"` | Full RCE chain |
## How It Works
1. **Batch-route confusion** โ exploits the batch API (`/batch/v1`) to desync request handling and bypass authentication
2. **Time-based blind SQLi** โ injects into `author_exclude` parameter via `SLEEP()` timing oracle
3. **oEmbed cache corruption** โ creates forged oEmbed cache entries via UNION injection
4. **Customizer changeset injection** โ recasts cache entries as a changeset with admin authorship
5. **Admin account creation** โ publishes the changeset and creates a new admin user
6. **Plugin upload** โ logs in as the new admin, uploads a plugin that registers a REST API command endpoint
7. **Command execution** โ sends command via the plugin's REST endpoint, returns output, self-destructs
## Attack Flow
```
Vulnerability check โ Seed oEmbed posts โ Extract table name (blind SQLi)
โ Extract admin ID (blind SQLi) โ Extract cache post IDs (blind SQLi)
โ Inject poisoned changeset via batch โ Create admin user
โ Login โ Upload command plugin โ Execute command โ Cleanup
```
## Credits
- **CVE-2026-60137** โ SQLi in `author__not_in`: discovered by TF1T, dtro, haongo
- **CVE-2026-63030** โ Batch-route confusion: discovered by Adam Kues (Assetnote / Searchlight Cyber)
- PoC implementation: [sergiointel/wp2shell-poc](https://github.com/sergiointel/wp2shell-poc)