CVE-2026-63030 PUBLISHED

WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution

Assigner: WPScan
Reserved: 17.07.2026 Published: 17.07.2026 Updated: 18.07.2026

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor WordPress
Product WordPress
Versions Default: unaffected
  • affected from 6.9.0 to 6.9.5 (excl.)
  • affected from 7.0.0 to 7.0.2 (excl.)

Credits

  • Adam Kues, Assetnote / Searchlight Cyber finder
  • WordPress Security Team coordinator

References

Problem Types

  • CWE-436 Interpretation Conflict CWE