Cyber Threat Brief — July 18 2026

⚠️ This report is AI-generated. Always validate findings.

1. wp2shell — WordPress Core Pre-Auth RCE — CVE-2026-63030 / CVE-2026-60137

TL;DR: Two chained WordPress Core flaws give anonymous attackers code execution on default installs with zero plugins — REST batch-route confusion (CVE-2026-63030) plus blind SQLi (CVE-2026-60137). Public PoC dropped July 18; patches in 6.9.5 / 7.0.2.

What’s New:

  • Disclosed July 17 via GitHub Security Advisory GHSA-ff9f-jf42-662q; CVE IDs assigned and PoC published within 24 hours
  • Attack path: POST /wp-json/batch/v1 (or /?rest_route=/batch/v1) — parsing quirk misaligns sub-request arrays so one request runs under another’s handler, reaching WP_Query author__not_in SQLi without authentication
  • Cloudflare confirms the vulnerable code path is reachable when persistent object cache is not in use (most shared-hosting installs)
  • Public PoC (Icex0/wp2shell-poc on GitHub) demonstrates blind boolean/time-based SQLi to extract admin password hashes; full RCE chain details withheld by Searchlight Cyber but expected imminently
  • Wordfence Premium/Care/Response customers received WAF rule July 17; Cloudflare deployed global WAF rules same day

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
POST /wp-json/batch/v1 with nested sub-requestsExploit endpointT1190WAF / web access logsBlock unauthenticated batch requests; alert on anomalous batch payloads
GET/POST /?rest_route=/batch/v1Alternate exploit pathT1190WAF / web access logsBlock — always-available alias for batch API
author__not_in parameter with SQLi payloadsSQLi vectorT1190WAF / web access logsAlert — boolean/time-based blind SQLi patterns (SLEEP, BENCHMARK, IF)
WordPress versions 6.9.0-6.9.4, 7.0.0-7.0.1Vulnerable softwareAsset inventoryPatch to 6.9.5 / 7.0.2 immediately
Icex0/wp2shell-poc (GitHub)Public PoCAwareness — attacker tooling available

Detection

SourceRuleGap
Splunk ESCUNoneNo rule for WordPress REST batch endpoint abuse or wp2shell SQLi chain
ElasticNoneNo rule for WordPress batch API exploitation
SigmaNoneNo rule for wp2shell; need web proxy rule matching POST to /wp-json/batch/v1 with SQLi indicators

Sources: Rapid7 ETR, Searchlight Cyber, The Hacker News, Cloudflare blog, GitHub Advisory


Status Updates

  • CVE-2026-46817 (Oracle EBS Payments): Federal CISA KEV deadline TODAY July 18. DriveSurge IAB exploitation ongoing with 456+ attacks. 950 exposed instances (Shadowserver). Patch: May 2026 CPU. Original brief.

  • CVE-2026-58644 (SharePoint Server): CISA KEV July 16. Federal deadline TOMORROW July 19. Pre-auth deserialization RCE (CVSS 9.8). Patched July 14 Patch Tuesday. CISA alert.

  • CVE-2026-39808 / CVE-2026-25089 (FortiSandbox): CISA KEV July 16. Federal deadline TOMORROW July 19. Triple-CVE OS command injection chain with CVE-2026-39813 (auth bypass). Active exploitation since June 16. CISA alert.