CVE-2026-63030 CVE-2026-60137 No exploit payloads

Check WordPress exposure to wp2shell

Pre-auth RCE chain (REST batch confusion + SQLi). Patched in 7.0.2, 6.9.5, 6.8.6.

Only scan sites you are authorized to test.

How it works

Version hints alone are not enough.

01

Passive

Markers + version hints (readme, meta, feed, REST).

02

Safe probe

Benign batch marker POST — no SQLi/RCE payload.

03

Affected

6.9.0–6.9.4, 7.0.0–7.0.1 (RCE); 6.8.0–6.8.5 (SQLi).

04

Fix

Upgrade + block /?rest_route=/batch/v1 at edge.