Verified reproduction
CVE-2026-63030: WordPress 7.0.1 pre-auth fresh-administrator chain to RCE
CVE-2026-63030 is verified against the affected target vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00294.
Severity CRITICAL
Confidence HIGH
Reproduced in 65m 17s
Tool calls 443
Spend $63.38
$
pruva-verify REPRO-2026-00294 or
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00294/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Run in a VM or disposable container. This exploits a real vulnerability.
Pruva Ticket Brief: Fresh-Administrator RCE Chain
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support · claim contract · reproduction · judge · variant analysis
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.
bundle/vuln_variant/root_cause_equivalence.json2.6 KBbundle/logs/vuln_variant/final_deliverable_sha256.log0.8 KBbundle/repro/reproduction_steps.sh21.7 KBbundle/repro/helpers/wp2shell_full_chain.py6.4 KBbundle/repro/helpers/wp2shell_lab_probe.py15.0 KBbundle/repro/helpers/wp2shell_admin_to_rce.py5.1 KBbundle/repro/helpers/wp2shell_install_target.py1.5 KBbundle/repro/helpers/wp2shell_oembed_server.py2.2 KBbundle/repro/runtime_manifest.json1.5 KBbundle/repro/validation_verdict.json1.1 KBbundle/repro/rca_report.md10.5 KBbundle/logs/vulnerable_database_before.log0.1 KBbundle/logs/two_run_verification.log0.8 KBbundle/logs/source_identity.log0.6 KBbundle/logs/image_identity.log0.5 KBbundle/logs/vulnerable_setup.log1.4 KBbundle/logs/fixed_setup.log1.4 KBbundle/logs/network_boundary.log0.4 KBbundle/logs/oembed_provider.log3.5 KBbundle/logs/second_clean_run.log0.2 KBbundle/logs/pass1/reproduction_steps.log11.6 KBbundle/logs/pass1/fixed_database_after.log0.1 KBbundle/logs/final_two_consecutive_runs.log0.6 KBbundle/logs/ultimate_pass2/reproduction_steps.log11.6 KBbundle/logs/ultimate_pass2/vulnerable_http_chain.log1.1 KBbundle/logs/ultimate_pass2/vulnerable_command_response.log0.1 KBbundle/logs/ultimate_pass2/fixed_database_after.log0.1 KBbundle/logs/fixed_database_before.log0.1 KBbundle/vuln_variant/reproduction_steps.sh14.0 KBbundle/vuln_variant/variant_probe.py4.4 KBbundle/logs/vuln_variant/verification_run1.log10.1 KBbundle/logs/vuln_variant/verification_run2.log10.1 KBbundle/logs/vuln_variant/candidate_matrix.log0.4 KBbundle/logs/vuln_variant/source_identity.log0.5 KBbundle/logs/vuln_variant/static_coverage.log0.4 KBbundle/vuln_variant/validation_verdict.json3.3 KBbundle/vuln_variant/variant_manifest.json4.0 KBbundle/vuln_variant/rca_report.md11.8 KBbundle/vuln_variant/patch_analysis.md8.3 KBbundle/vuln_variant/runtime_manifest.json2.4 KBbundle/logs/vuln_variant/vulnerable_query_scalar.json1.7 KBbundle/logs/vuln_variant/fixed_query_scalar.json0.8 KBbundle/logs/vuln_variant/vulnerable_body_scalar.json1.7 KBbundle/logs/vuln_variant/fixed_body_scalar.json0.8 KBbundle/logs/vuln_variant/vulnerable_batch_alignment.json0.8 KBbundle/logs/vuln_variant/fixed_batch_alignment.json0.8 KBbundle/logs/vuln_variant/two_run_verification.log0.0 KBbundle/logs/vuln_variant/vulnerable_before.log0.5 KBbundle/logs/vuln_variant/vulnerable_after.log0.5 KBbundle/logs/vuln_variant/fixed_before.log0.5 KBbundle/logs/vuln_variant/fixed_after.log0.5 KB