Skip to content

yoerivegt/wp2shell-poc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 

Repository files navigation

Unauthenticated pre-auth RCE PoC for the WordPress wp2shell chain (CVE-2026-63030 + CVE-2026-60137), affecting WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1 on a fully default install.

It abuses a REST batch array misalignment to reach a WP_Query SQL injection, then poisons the object cache to forge an admin account and deploy a webshell, no non-default MySQL config required.

Original discovery by Adam Kues and Patrik Grobshäuser at Assetnote/Searchlight Cyber; this PoC was built with Claude.

python3 wp2shell.py http://target/ --cmd "id"

Technical writeup at https://yoerivegt.com/wp2shell/

About

wp2shell (CVE-2026-60137 / CVE-2026-63030)

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages