Share
## https://sploitus.com/exploit?id=EB524D5C-D08C-51D0-BD31-7D7301919A9E
# CVE-2026-63030: wp2shell
**WordPress Batch API Desynchronization SQL Injection Exploit**
Proof of Concept tool for extracting users and password hashes via the CVE-2026-63030 (wp2shell) vulnerability.
---
## Vulnerability Information
- **CVE**: CVE-2026-63030 (wp2shell)
- **Companion CVE**: CVE-2026-60137
- **Type**: Pre-Auth Blind SQL Injection
- **Affected**: WordPress 6.9.0โ6.9.4, 7.0.0โ7.0.1
- **Fixed**: 6.9.5, 7.0.2+
---
## References
- [Penligent Analysis - CVE-2026-63030 wp2shell](https://www.penligent.ai/hackinglabs/cve-2026-63030-wp2shell/)
- [Rapid7 Labs - CVE-2026-63030: wp2shell a Critical Remote Code Execution Vulnerability in WordPress Core](https://www.rapid7.com/blog/post/etr-cve-2026-63030-wp2shell-a-critical-remote-code-execution-vulnerability-in-wordpress-core/)
- [WordPress 7.0.2 Security Release](https://wordpress.org/news/2026/07/wordpress-7-0-2-release/)