SQL Injection and Remote Code Execution in WordPress REST API
CVE-2026-63030

7.5HIGH

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-63030?

A confusion issue in the REST API batch endpoint of WordPress versions 6.9.x prior to 6.9.5 and 7.0.x prior to 7.0.2 could facilitate an exploit. This vulnerability, when combined with an existing SQL Injection flaw in the author__not_in WP_Query feature, can allow attackers to execute unauthorized SQL commands, potentially leading to Remote Code Execution. It is crucial for users to update to the latest versions of WordPress to mitigate these security risks.

Affected Version(s)

WordPress 6.9.0 < 6.9.5

WordPress 7.0.0 < 7.0.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Adam Kues, Assetnote / Searchlight Cyber
WordPress Security Team
.