Cyber Threat Brief — July 18 2026
1. wp2shell — WordPress Core Pre-Auth RCE — CVE-2026-63030 / CVE-2026-60137
TL;DR: Two chained WordPress Core flaws give anonymous attackers code execution on default installs with zero plugins — REST batch-route confusion (CVE-2026-63030) plus blind SQLi (CVE-2026-60137). Public PoC dropped July 18; patches in 6.9.5 / 7.0.2.
What’s New:
- Disclosed July 17 via GitHub Security Advisory GHSA-ff9f-jf42-662q; CVE IDs assigned and PoC published within 24 hours
- Attack path:
POST /wp-json/batch/v1(or/?rest_route=/batch/v1) — parsing quirk misaligns sub-request arrays so one request runs under another’s handler, reachingWP_Queryauthor__not_inSQLi without authentication - Cloudflare confirms the vulnerable code path is reachable when persistent object cache is not in use (most shared-hosting installs)
- Public PoC (
Icex0/wp2shell-pocon GitHub) demonstrates blind boolean/time-based SQLi to extract admin password hashes; full RCE chain details withheld by Searchlight Cyber but expected imminently - Wordfence Premium/Care/Response customers received WAF rule July 17; Cloudflare deployed global WAF rules same day
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /wp-json/batch/v1 with nested sub-requests | Exploit endpoint | T1190 | WAF / web access logs | Block unauthenticated batch requests; alert on anomalous batch payloads |
GET/POST /?rest_route=/batch/v1 | Alternate exploit path | T1190 | WAF / web access logs | Block — always-available alias for batch API |
author__not_in parameter with SQLi payloads | SQLi vector | T1190 | WAF / web access logs | Alert — boolean/time-based blind SQLi patterns (SLEEP, BENCHMARK, IF) |
| WordPress versions 6.9.0-6.9.4, 7.0.0-7.0.1 | Vulnerable software | — | Asset inventory | Patch to 6.9.5 / 7.0.2 immediately |
Icex0/wp2shell-poc (GitHub) | Public PoC | — | — | Awareness — attacker tooling available |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for WordPress REST batch endpoint abuse or wp2shell SQLi chain |
| Elastic | None | No rule for WordPress batch API exploitation |
| Sigma | None | No rule for wp2shell; need web proxy rule matching POST to /wp-json/batch/v1 with SQLi indicators |
Sources: Rapid7 ETR, Searchlight Cyber, The Hacker News, Cloudflare blog, GitHub Advisory
Status Updates
-
CVE-2026-46817 (Oracle EBS Payments): Federal CISA KEV deadline TODAY July 18. DriveSurge IAB exploitation ongoing with 456+ attacks. 950 exposed instances (Shadowserver). Patch: May 2026 CPU. Original brief.
-
CVE-2026-58644 (SharePoint Server): CISA KEV July 16. Federal deadline TOMORROW July 19. Pre-auth deserialization RCE (CVSS 9.8). Patched July 14 Patch Tuesday. CISA alert.
-
CVE-2026-39808 / CVE-2026-25089 (FortiSandbox): CISA KEV July 16. Federal deadline TOMORROW July 19. Triple-CVE OS command injection chain with CVE-2026-39813 (auth bypass). Active exploitation since June 16. CISA alert.