CVE-2026-63030
High PUBLISHEDWordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
Not yet in CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.
- CVE Published
- Jul 17, 2026
- Exploitation Reported
- Jul 18, 2026
- CVSS
- 9.8 Critical
- EPSS
- 8.9%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| WordPress |
WordPress
|
6.9.0 to < 6.9.5 |
Affected |
| WordPress |
WordPress
|
7.0.0 to < 7.0.2 |
Affected |
CVE References
- Vendor Advisory — wordpress.org wordpress.org · Vendor Advisory https://wordpress.org/news/2026/07/wordpress-7-0-2-release/
- GitHub — WordPress/wordpress-develop github.com · Technical Description https://github.com/WordPress/wordpress-develop/security/advisories/GH...
- https://wp2shell.com/ General https://wp2shell.com/
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| PatchStack First | 2026-07-18 16:03 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-63030.yaml | Jul 18, 2026 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
Supported Platforms
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
GET /api/v2/enterprise/virtual_patches?cve_id=CVE-2026-63030
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-07-18 16:03:00 UTC · PatchStack
Proof of concept available
Recorded 2026-07-17 23:09:00 UTC · Nuclei Templates
Weaknesses (CWE)
-
Interpretation Conflict
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-63030.yaml | Jul 18, 2026 |
Recent Mentions
Daily CyberSecurity · Jul 18, 2026
TL;DR WordPress shipped 7.0.2 on July 17, 2026 to fix a critical flaw chain. The bug is a The post WordPress Pre-Auth RCE CVE-2026-63030: Vulnerability Details and PoC Exploit Code Now Public appeared first on Daily CyberSecurity.
Wordfence · Jul 17, 2026
On July 17, 2026, the WordPress Security Team released updates to WordPress core addressing two security vulnerabilities. The first is an unauthenticated SQL injection vulnerability identified as CVE-2026-60137, while the second can be chained with the SQL injection to increase its impact to unauthenticated remote code execution and is identified as CVE-2026-63030. To protect WordPress ...Read More The post PSA: WordPress Core Patched Unauthenticated Remote Code Execution Vulnerability Chain appeared first on Wordfence.
Rapid7 · Jul 17, 2026
OverviewOn July 17, 2026, a GitHub Security Advisory was published for CVE-2026-63030, a critical unauthenticated remote code execution vulnerability affecting WordPress Core. While the official GitHub security advisory classifies the severity as Critical, the vulnerability has currently been assigned a CVSS score of 7.5. WordPress is one of the most widely deployed content management systems, making vulnerabilities in its core software potentially significant for organizations operating public-facing websites. The vulnerability reportedly allows an unauthenticated attacker to execute code via the WordPress REST API batch endpoint, potentially resulting in complete compromise of the website and its underlying data. No valid account or user interaction is required.According to the advisory, the vulnerability affects WordPress versions 6.9.0 through 6.9.4 and versions 7.0.0 through 7.0.1. The issue is fixed in WordPress 6.9.5 and 7.0.2. A fix is also included in WordPress 7.1 Beta 2.Cloudflare reported that the vulnerable code path can be reached when a persistent object cache is not in use. Searchlight Cyber, whose researchers identified the vulnerability, stated that it can be exploited remotely against a default WordPress installation without requiring additional plugins.Technical exploit details have not yet been published by Searchlight Cyber, as of July 17 5:45 PM Eastern time. At the time of publication, Rapid7 is not aware of publicly confirmed in-the-wild exploitation. Organizations should not interpret the absence of public exploitation reports as an indication of low risk, particularly given the vulnerability’s unauthenticated attack path and the widespread deployment of WordPress; affected WordPress sites should be urgently patched. Due to WordPress Core being an open-source project and given the current ability of AI models to analyze open-source code, Rapid7 Labs believes it is highly likely that a public PoC will be made available in a short period...
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-07-18 21:13:39 UTC · 1 stars
WordPress 未授权RCE EXP | CVE-2026-63030
github · Created 2026-07-18 20:46:28 UTC · 0 stars
CVE-2026-63030 - WordPress Core Pre-Auth RCE Mass Exploit
github · Created 2026-07-18 17:07:39 UTC · 0 stars
github · Created 2026-07-18 16:17:30 UTC · 0 stars
A critical unauthenticated "remote code execution" vulnerability affecting WordPress Core
github · Created 2026-07-18 16:07:41 UTC · 0 stars
A fully red-team(offensive security) weaponized variant of wp2shell, built for authorized penetration testing & educational purposes.
github · Created 2026-07-18 14:06:48 UTC · 2 stars
PoC Exploit of WordPress Core Unauthenticated RCE known as WP2Shell
github · Created 2026-07-18 12:11:11 UTC · 2 stars
CVE-2026-63030 (wp2shell) POC.
github · Created 2026-07-18 10:19:10 UTC · 0 stars
github · Created 2026-07-18 01:02:47 UTC · 0 stars
That wasnt tested on a vulnerable target yet
nuclei · Created Unknown
1 private PoC available
Private PoC details are available to Pro and Enterprise accounts on this page and through the Pro API.
Learn about Pro API accessTimeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
16:03 UTC 1 day ago16:03 UTC · 1 day ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
04:31 UTC 1 day ago04:31 UTC · 1 day ago
Nuclei template available
Scanner coverage available
-
01:02 UTC 1 day ago01:02 UTC · 1 day ago
Public PoC available
Public proof-of-concept code published
-
23:09 UTC 2 days ago23:09 UTC · 2 days ago
Private PoC available
Pro-only proof-of-concept available
-
22:25 UTC 2 days ago22:25 UTC · 2 days ago
Virtual patch available
Compensating WAF rule available to block exploitation
-
19:14 UTC 2 days ago19:14 UTC · 2 days ago
CVE published
Vulnerability disclosed publicly
-
17:17 UTC 2 days ago17:17 UTC · 2 days ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2026-63030
{
"cve_id": "CVE-2026-63030",
"title": "WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue le...",
"affected_vendor": "WordPress",
"affected_product": "WordPress",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "High",
"cvss_score": 9.8,
"epss_score": 0.08946,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}