Share
## https://sploitus.com/exploit?id=E7D11A43-3433-53EC-B36F-E85D104B549B
# wp2shell

Pre-authentication Remote Code Execution against WordPress Core.

Chains **CVE-2026-60137** (SQLi in `author__not_in` / `author_exclude` parameter of `WP_Query`) with **CVE-2026-63030** (REST API batch-route confusion) for unauthenticated RCE.

## Affected Versions

| Range | Status |
|---|---|
| <= 6.8.5 | Not affected (no batch confusion) |
| 6.8.0 - 6.8.5 | SQLi only, no RCE |
| **6.9.0 - 6.9.4** | **Vulnerable** |
| **7.0.0 - 7.0.1** | **Vulnerable** |
| 7.0.2+ / 6.9.5+ | Patched |

## Usage

```
python3 poc.py -u TARGET_URL
python3 poc.py -u TARGET_URL --sql "SELECT user_pass FROM wp_users LIMIT 1"
python3 poc.py -u TARGET_URL -c "id"
```

### Modes

| Arguments | Behavior |
|---|---|
| `-u TARGET_URL` | Check if vulnerable (timing probe) |
| `-u TARGET_URL --sql "SQL"` | Extract scalar via blind SQLi |
| `-u TARGET_URL -c "CMD"` | Full RCE chain |

## How It Works

1. **Batch-route confusion** โ€” exploits the batch API (`/batch/v1`) to desync request handling and bypass authentication
2. **Time-based blind SQLi** โ€” injects into `author_exclude` parameter via `SLEEP()` timing oracle
3. **oEmbed cache corruption** โ€” creates forged oEmbed cache entries via UNION injection
4. **Customizer changeset injection** โ€” recasts cache entries as a changeset with admin authorship
5. **Admin account creation** โ€” publishes the changeset and creates a new admin user
6. **Plugin upload** โ€” logs in as the new admin, uploads a plugin that registers a REST API command endpoint
7. **Command execution** โ€” sends command via the plugin's REST endpoint, returns output, self-destructs

## Attack Flow

```
Vulnerability check โ†’ Seed oEmbed posts โ†’ Extract table name (blind SQLi)
โ†’ Extract admin ID (blind SQLi) โ†’ Extract cache post IDs (blind SQLi)
โ†’ Inject poisoned changeset via batch โ†’ Create admin user
โ†’ Login โ†’ Upload command plugin โ†’ Execute command โ†’ Cleanup
```

## Credits

- **CVE-2026-60137** โ€” SQLi in `author__not_in`: discovered by TF1T, dtro, haongo
- **CVE-2026-63030** โ€” Batch-route confusion: discovered by Adam Kues (Assetnote / Searchlight Cyber)
- PoC implementation: [sergiointel/wp2shell-poc](https://github.com/sergiointel/wp2shell-poc)