Unauthenticated pre-auth RCE PoC for the WordPress wp2shell chain (CVE-2026-63030 + CVE-2026-60137), affecting WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1 on a fully default install.
It abuses a REST batch array misalignment to reach a WP_Query SQL injection, then poisons the object cache to forge an admin account and deploy a webshell, no non-default MySQL config required.
Original discovery by Adam Kues and Patrik Grobshäuser at Assetnote/Searchlight Cyber; this PoC was built with Claude.
python3 wp2shell.py http://target/ --cmd "id"Technical writeup at https://yoerivegt.com/wp2shell/