WordPress wp2shell RCE Exposure

Phase 1Information Gatheringconfig mgmtWSTG-CONF

What is WordPress wp2shell RCE Exposure?

Passively assesses whether a WordPress installation may be exposed to the "wp2shell" pre-authentication RCE chain: CVE-2026-63030 (REST API batch-route confusion, CWE-436) combined with CVE-2026-60137 (SQL injection in WP_Query author__not_in, CWE-89). Affected: 6.9.0–6.9.4, 7.0.0–7.0.1. Patched in 6.9.5 and 7.0.2.

This vulnerability class falls under the Information Gathering phase of the OWASP Testing Guide (WSTG-CONF). Security engineers prioritise information gathering checks early in an assessment because weaknesses here provide a foothold that amplifies the severity of vulnerabilities found in later phases.

Security Impact

The wp2shell chain combines a REST batch-route confusion issue with a SQL injection flaw to permit potential unauthenticated RCE. Passive version-and-reachability assessment catches unpatched installs before they are actively exploited.

Left undetected, wordpress wp2shell rce exposure issues can persist unnoticed for months. Continuous automated scanning ensures your team receives an alert the moment a regression or new exposure is introduced — long before an attacker discovers it through manual enumeration or automated offensive tooling.

How DygDog Detects It

DygDog audits server configuration, exposed file paths, HTTP methods, and deployment artefacts without sending malicious payloads, making the check safe to run continuously in production.

The WordPress wp2shell RCE Exposure check is implemented as a passive scan module, meaning it never sends dangerous payloads or modifies application state. Scans complete in approximately 2.0 s and run continuously in the background so your security posture reflects the current state of your site — not a point-in-time snapshot.

Sample Finding

The following illustrates what a positive WordPress wp2shell RCE Exposure detection looks like in practice.

Observed

WordPress 7.0.1 detected via <meta name="generator"> tag; GET /wp-json/batch/v1 returns HTTP 200

Risk

Potential unauthenticated RCE — CVE-2026-63030 (REST batch-route confusion, CWE-436) combined with CVE-2026-60137 (SQL injection in WP_Query author__not_in, CWE-89) may permit unauthenticated code execution. This is a passive version-and-reachability assessment only.

Fix

Update WordPress to 7.0.2 or later immediately via wp-admin > Dashboard > Updates or WP-CLI (`wp core update`)

Remediation Approach

Harden server and framework defaults by disabling unused HTTP methods, removing version banners from response headers, and applying a principle-of-least-privilege to file permissions and deployment artefacts.

DygDog does not stop at detection. When a WordPress wp2shell RCE Exposure finding is confirmed, the platform generates infrastructure-aware, copy-paste-ready remediation snippets using frontier AI models. Instead of generic advice you need to adapt, you receive code that targets your exact server, framework, and configuration.

OWASP References

This check maps to the following OWASP Testing Guide test cases:

These checks belong to the same testing phase and are often assessed together:

Detect WordPress wp2shell RCE Exposure on Your Site

DygDog runs continuous passive scans across 73 vulnerability checks — including WordPress wp2shell RCE Exposure — and notifies you the moment an issue is detected. Start a free scan in under 60 seconds, no installation required.

Start Free Scan