To secure your systems, understanding your external perimeter and identifying all deployed WordPress instances is crucial. Our team can help catalog and continuously scan your external environment. Explore our Attack Surface Management services to learn how we continuously discover and monitor all your internet-facing assets for severe exposures.
Technical Mechanics of the WP2SHELL Chain
The WP2SHELL threat is not a single bug, but rather an elegant and highly destructive vulnerability chain. It combines a REST API route and validation desynchronization vulnerability, tracked as CVE-2026-63030, with a core SQL injection vulnerability, tracked as CVE-2026-60137, in the main WordPress query engine class. The exploit bypasses authentication barriers and manipulates SQL queries, culminating in remote code execution on the host operating system.
The Role of CVE-2026-63030: REST API Route Confusion
The WordPress REST API batch endpoint, located at /wp-json/batch/v1, is designed to handle multiple nested sub-requests inside a single HTTP request. This optimization improves performance for dashboard interactions and mobile apps. However, a severe logical flaw exists in the batch dispatcher framework.
When parsing incoming nested sub-requests, the dispatcher evaluates them sequentially. An attacker can craft a payload where the very first sub-request is designed to fail validation immediately, such as by passing an invalid target path like http://:. When this validation failure occurs, the dispatcher generates a WP_Error object. Due to an implementation error, this failed request is excluded from the internal match array but retained in the main dispatcher index. This mismatch creates an off-by-one array offset desynchronization.
Consequently, subsequent sub-requests in the batch queue are evaluated against the dispatch and permission callbacks of the previous sub-request. This logical flaw allows an unauthenticated attacker to completely bypass route-level access restrictions and execute actions reserved for authenticated administrative sessions.
The Role of CVE-2026-60137: Core SQL Injection
Once the route restrictions are bypassed, the attacker dispatches a nested sub-request directly to the core query engine, specifically targeting the WP_Query class. This query engine handles database searches and post fetching. The vulnerability lies within the processing of the author__not_in parameter, which is designed to exclude specific author IDs from query results.
Normally, this parameter expects an array of integer values. However, if an attacker passes a raw string instead of an array, the core type check functions are bypassed. The database abstraction layer fails to sanitize the input properly when a string is received in this specific context, dropping the raw, attacker-controlled string directly into the SQL query string. This results in an unauthenticated, blind, or time-based SQL injection vulnerability.
The Path to Remote Code Execution
Through the SQL injection vector, attackers can execute commands to retrieve sensitive data from the database. This includes extracting administrator session hashes, database credentials, and altering tables. After acquiring these credentials, the attacker logs in as an administrator and uploads a malicious theme or plugin containing a PHP-based backdoor, commonly known as a webshell. This backdoor allows the attacker to execute arbitrary shell commands on the underlying web server, resulting in a full system compromise.
This remote code execution chain is highly reliable on default WordPress configurations, especially where a persistent object cache like Redis or Memcached is not utilized to abstract database interactions.