Cms
wp2shell: A Two-CVE Chain Turns WordPress Core Into Pre-Auth RCE
CVE-2026-60137 and CVE-2026-63030 chain a REST API route-confusion bug with a WP_Query SQL injection to give unauthenticated attackers a path to full RCE on default WordPress installs.