WP2Shell
Wordpress Core unauthenticated RCE A technical walkthrough of the wp2shell chain, where two small bugs in the WordPress REST API turn into unauthenticated remote code execution on a default install. Original discovery by Adam Kues and Patrik Grobshäuser at Assetnote. The proof of concept discussed here was built with Claude.
July 18, 2026