Skip to content

NULL200OK/WP2Shell

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

WP2Shell - CVE-2026-63030 / CVE-2026-60137 WordPress REST API Batch SQL Injection to RCE

Full discovery and exploitation tool for WordPress REST API Batch endpoint vulnerability.

This tool exploits a critical SQL injection vulnerability in the WordPress REST API /wp-json/batch/v1 endpoint, allowing unauthenticated attackers to execute arbitrary SQL queries and achieve Remote Code Execution (RCE) on vulnerable WordPress installations.

⚡ Features

  • Time-based blind SQL injection detection - Accurately identifies vulnerable targets using configurable sleep delays
  • Automatic method discovery - Tests POST, PUT, PATCH, and DELETE methods to find the working payload format
  • Full exploitation pipeline - Extracts admin credentials via UNION-based injection
  • Dual RCE paths:
    • INTO OUTFILE - Writes webshell directly to filesystem when MySQL FILE privilege is enabled
    • Admin plugin upload - Falls back to authenticated plugin upload when file write is restricted
  • Parallel scanning - Multi-threaded architecture for fast target enumeration
  • Rich reporting - Generates detailed JSON and HTML reports with extracted credentials

🔧 Technical Details

Vulnerability: CVE-2026-63030 / CVE-2026-60137 Vector: WordPress REST API Batch endpoint (/wp-json/batch/v1) SQL Injection Impact: Unauthenticated RCE Affected Versions: WordPress 6.4.x and earlier (specific versions TBD)

Exploitation Chain

  1. Discovery - Time-based blind SQL injection detection using SLEEP() payloads
  2. Column detection - Determines table structure via ORDER BY probing
  3. Data extraction - UNION-based injection to extract:
    • Database name
    • Table names
    • Admin credentials (username + password hash)
  4. Shell injection - Writes PHP webshell via INTO OUTFILE (when allowed)
  5. Fallback - Authenticated plugin upload via admin panel (if credentials extracted)

🚀 Quick Start

# Clone the repository
git clone https://github.com/NULL200OK/wp2shell.git
cd wp2shell

# Install dependencies
pip install requests beautifulsoup4

# Create targets file
echo "https://target.com" > targets.txt

# Run discovery
python wp2shell.py targets.txt --scan --verbose

# Full exploitation
python wp2shell.py targets.txt --exploit --verbose

📋 Usage Examples:

# Scan single target with verbose output
python wp2shell.py targets.txt --exploit --verbose

# Custom sleep time for slow servers
python wp2shell.py targets.txt --exploit --sleep 20 --verbose

# Multi-threaded scanning (20 threads)
python wp2shell.py targets.txt --exploit --threads 20 --verbose

# Skip shell writes (extract credentials only)
python wp2shell.py targets.txt --exploit --no-shell --verbose

# Force specific HTTP method
python wp2shell.py targets.txt --exploit --method POST --verbose

📊 Output:

1- JSON report: Structured data with vulnerability status and extracted credentials

2- HTML report: Beautiful, color-coded visualization with clickable shell URLs


⚠️ Disclaimer:

This tool is for educational and authorized testing purposes only. Use only on systems you own or have explicit permission to test. The author assumes no responsibility for misuse.


About

WP2Shell - CVE-2026-63030 / CVE-2026-60137 This tool exploits a critical SQL injection vulnerability in the WordPress REST API `/wp-json/batch/v1` endpoint, allowing unauthenticated attackers to execute arbitrary SQL queries and achieve Remote Code Execution (RCE) on vulnerable WordPress installations.

Topics

Resources

Stars

4 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages