2026-07-18 · view entry permalink →
WP2Shell: pre-auth RCE chain in stock WordPress core (CVE-2026-63030 + CVE-2026-60137) — out-of-band 7.0.2 patch, exploitation expected short-term
WordPress shipped an out-of-band core security release on 2026-07-17 fixing a pre-authentication remote-code-execution chain that researcher Adam Kues of Searchlight Cyber calls WP2Shell (WordPress.org, 2026-07-17; Searchlight Cyber, 2026-07-17). The chain's first half, CVE-2026-63030, is a route-confusion weakness (CWE-436) in the REST API batch endpoint — /wp-json/batch/v1, also reachable as ?rest_route=/batch/v1 — which processes several sub-requests in one call; a parsing quirk desynchronizes internal request arrays so one sub-request executes under another's handler. Chained with CVE-2026-60137 — an SQL injection in the author__not_in parameter of WP_Query, the class that builds most WordPress database queries — it yields code execution with no authentication, no plugins and no special configuration: "the attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins" (Searchlight Cyber, 2026-07-17). The full chain affects 6.9.0–6.9.4 and 7.0.0–7.0.1; the SQL-injection component reaches back into 6.8.x, where it is exposed when a plugin or theme passes untrusted input to the parameter (ENISA EUVD, 2026-07-17). Scoring is contested between assigners: the WPScan CNA rates the RCE component 9.8 and the SQLi 5.9, while the CISA-ADP secondary assessment carried by NVD and EUVD inverts the pair at 7.5 and 9.1 (ENISA EUVD, 2026-07-18).
Searchlight Cyber withheld exploit mechanics "to give defenders time to patch" and instead published a checker tool; VulnCheck's independent analysis describes the practical post-exploitation route as dumping credential hashes via the SQL injection, cracking or reusing an administrator login, and dropping a webshell through the admin interface (VulnCheck, 2026-07-17). Public proof-of-concept code is already on GitHub — The Hacker News reports "a working proof-of-concept has gone up on GitHub" (The Hacker News, 2026-07-17), while an earlier-observed public repository carried only detection-grade probing (time-based blind SQL-injection and route-confusion checks); either way, exploit tooling is public. Exploitation status as of publication: Rapid7 was "not aware of publicly confirmed in-the-wild exploitation" as of 2026-07-17 evening (Rapid7, 2026-07-17), the CVE pair is not in CISA KEV, and a circulated secondhand exploitation claim traces back to a Patchstack database page that in fact makes only the predictive statement "this vulnerability is highly dangerous and expected to become exploited." NCSC-NL's advisory rates likelihood high and expects short-term exploitation, recommending WAF-blocking of the batch endpoint where patching must wait (NCSC-NL, 2026-07-18).
The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.
It is not on CISA's KEV catalog, which takes confirmed exploitation, and none has been reported as of July 18.