ctipilot.ch

WP2Shell: WordPress core REST batch route confusion to pre-auth RCE chain

cve · CVE-2026-63030

Coverage timeline
1
first 2026-07-18 → last 2026-07-18
Peak priority
high
1 high
Sources cited
8
7 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
1
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
WordPress Core

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-18/wordpress-core-wp2shell-preauth-rce-chain-cve-2026-63030 · ATT&CK page ↗

Persistence TA0003

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-07-18/wordpress-core-wp2shell-preauth-rce-chain-cve-2026-63030 · ATT&CK page ↗

Story timeline

  1. 2026-07-18WP2Shell: pre-auth RCE chain in stock WordPress core (CVE-2026-63030 + CVE-2026-60137) — out-of-band 7.0.2 patch, exploitation expected short-term
    trending-vulnerabilitiesWordPress core's REST batch endpoint + a WP_Query SQL injection chain to unauthenticated RCE on a stock install — patch 7.0.2/6.9.5/6.8.6 shipped 2026-07-17

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • euvd.enisa.europa.eu2 (25%)
  • advisories.ncsc.nl1 (12%)
  • rapid7.com1 (12%)
  • slcyber.io1 (12%)
  • thehackernews.com1 (12%)
  • vulncheck.com1 (12%)
  • wordpress.org1 (12%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about WP2Shell: WordPress core REST batch route confusion to pre-auth RCE chain (1)

2026-07-18 · view entry permalink →

WP2Shell: pre-auth RCE chain in stock WordPress core (CVE-2026-63030 + CVE-2026-60137) — out-of-band 7.0.2 patch, exploitation expected short-term

WordPress shipped an out-of-band core security release on 2026-07-17 fixing a pre-authentication remote-code-execution chain that researcher Adam Kues of Searchlight Cyber calls WP2Shell (WordPress.org, 2026-07-17; Searchlight Cyber, 2026-07-17). The chain's first half, CVE-2026-63030, is a route-confusion weakness (CWE-436) in the REST API batch endpoint — /wp-json/batch/v1, also reachable as ?rest_route=/batch/v1 — which processes several sub-requests in one call; a parsing quirk desynchronizes internal request arrays so one sub-request executes under another's handler. Chained with CVE-2026-60137 — an SQL injection in the author__not_in parameter of WP_Query, the class that builds most WordPress database queries — it yields code execution with no authentication, no plugins and no special configuration: "the attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins" (Searchlight Cyber, 2026-07-17). The full chain affects 6.9.0–6.9.4 and 7.0.0–7.0.1; the SQL-injection component reaches back into 6.8.x, where it is exposed when a plugin or theme passes untrusted input to the parameter (ENISA EUVD, 2026-07-17). Scoring is contested between assigners: the WPScan CNA rates the RCE component 9.8 and the SQLi 5.9, while the CISA-ADP secondary assessment carried by NVD and EUVD inverts the pair at 7.5 and 9.1 (ENISA EUVD, 2026-07-18).

Searchlight Cyber withheld exploit mechanics "to give defenders time to patch" and instead published a checker tool; VulnCheck's independent analysis describes the practical post-exploitation route as dumping credential hashes via the SQL injection, cracking or reusing an administrator login, and dropping a webshell through the admin interface (VulnCheck, 2026-07-17). Public proof-of-concept code is already on GitHub — The Hacker News reports "a working proof-of-concept has gone up on GitHub" (The Hacker News, 2026-07-17), while an earlier-observed public repository carried only detection-grade probing (time-based blind SQL-injection and route-confusion checks); either way, exploit tooling is public. Exploitation status as of publication: Rapid7 was "not aware of publicly confirmed in-the-wild exploitation" as of 2026-07-17 evening (Rapid7, 2026-07-17), the CVE pair is not in CISA KEV, and a circulated secondhand exploitation claim traces back to a Patchstack database page that in fact makes only the predictive statement "this vulnerability is highly dangerous and expected to become exploited." NCSC-NL's advisory rates likelihood high and expects short-term exploitation, recommending WAF-blocking of the batch endpoint where patching must wait (NCSC-NL, 2026-07-18).

The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.

Searchlight Cyber 2026-07-17

It is not on CISA's KEV catalog, which takes confirmed exploitation, and none has been reported as of July 18.

The Hacker News 2026-07-17
vulnerability18 Jul 13:20Zmulti-sourceOpen finding ↗