SQL Injection and Remote Code Execution in WordPress REST API
CVE-2026-63030
7.5HIGH
What is CVE-2026-63030?
A confusion issue in the REST API batch endpoint of WordPress versions 6.9.x prior to 6.9.5 and 7.0.x prior to 7.0.2 could facilitate an exploit. This vulnerability, when combined with an existing SQL Injection flaw in the author__not_in WP_Query feature, can allow attackers to execute unauthorized SQL commands, potentially leading to Remote Code Execution. It is crucial for users to update to the latest versions of WordPress to mitigate these security risks.
Affected Version(s)
WordPress 6.9.0 < 6.9.5
WordPress 7.0.0 < 7.0.2
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Adam Kues, Assetnote / Searchlight Cyber
WordPress Security Team