{"uuid": "a55f0a0b-51f3-4464-aa9f-ccaf2c98c196", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-63030", "type": "seen", "source": "https://bsky.app/profile/kotosecurity.bsky.social/post/3mqwgkaiooz2c", "content": "\ud83d\udea8 VULN: WordPress core 'wp2shell' \u2014 CVE-2026-63030 (REST API batch-route confusion) chained with CVE-2026-60137 (SQLi) gives unauthenticated RCE on a bare install. Fixed in 6.9.5/7.0.2 (forced auto-update); 6.8.x SQLi fixed in 6.8.6. Public PoC live. Src: The Hacker News", "creation_timestamp": "2026-07-18T14:02:42.183813Z"}