CVE-2026-63030

High PUBLISHED

WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution

WordPress · WordPress

Not yet in CISA KEV

Exploited in the wild PoC available Virtual patch available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
High
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
Not yet in CISA KEV
Virtual Patch
Yes 3 targets
CVSS / EPSS
9.8 Critical EPSS 8.9%

At a Glance

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.

wordpress
CVE Published
Jul 17, 2026
Exploitation Reported
Jul 18, 2026
CVSS
9.8 Critical
EPSS
8.9%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
WordPress
WordPress

6.9.0 to < 6.9.5

Affected
WordPress
WordPress

7.0.0 to < 7.0.2

Affected

CVE References

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.