Share
## https://sploitus.com/exploit?id=EB524D5C-D08C-51D0-BD31-7D7301919A9E
# CVE-2026-63030: wp2shell

**WordPress Batch API Desynchronization SQL Injection Exploit**

Proof of Concept tool for extracting users and password hashes via the CVE-2026-63030 (wp2shell) vulnerability.

---

## Vulnerability Information

- **CVE**: CVE-2026-63030 (wp2shell)
- **Companion CVE**: CVE-2026-60137
- **Type**: Pre-Auth Blind SQL Injection
- **Affected**: WordPress 6.9.0โ€“6.9.4, 7.0.0โ€“7.0.1
- **Fixed**: 6.9.5, 7.0.2+


---

## References

- [Penligent Analysis - CVE-2026-63030 wp2shell](https://www.penligent.ai/hackinglabs/cve-2026-63030-wp2shell/)
- [Rapid7 Labs - CVE-2026-63030: wp2shell a Critical Remote Code Execution Vulnerability in WordPress Core](https://www.rapid7.com/blog/post/etr-cve-2026-63030-wp2shell-a-critical-remote-code-execution-vulnerability-in-wordpress-core/)
- [WordPress 7.0.2 Security Release](https://wordpress.org/news/2026/07/wordpress-7-0-2-release/)