wp2shell (CVE-2026-63030) update: public working exploit now available for the WordPress core pre-auth RCE

News

Follow-up on the WordPress core pre-auth RCE. Searchlight Cyber held technical details at disclosure and Rapid7 predicted a PoC would land fast. It has. What’s new: A working exploit is now public on GitHub, MIT-licensed with an “educational / authorized testing only” disclaimer, and being mirrored on a Telegram channel (bundled with target-discovery dorks). Free, not paywalled. Chain recap: CVE-2026-63030 (REST batch-route confusion → auth bypass) unlocks CVE-2026-60137 (SQLi in WP_Query author__not_in) → dump DB → crack admin hash → admin = RCE on a stock install via the theme editor. No plugins, no auth. Affected: 6.9.0–6.9.4, 7.0.0–7.0.1 (RCE chain); SQLi reaches into 6.8.x. Fixed in 7.0.2 / 6.9.5 / 6.8.6, forced auto-updates enabled. If you’re patched you’re fine. For any long tail of internet-facing WP, assume opportunistic scanning is starting now that a working exploit is public, and treat post-disclosure exposure as potential compromise (rogue admins, modified PHP, new files in uploads). Disclosure: I write for Ransomnews. submitted by /u/lexcor [link] [comments]Technical Information Security Content & DiscussionRead More