๐Ÿ” CVE Alert

CVE-2026-63030

HIGH 7.5

WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.

Vendor wordpress
Product wordpress
Ecosystems
Industries
WebMedia
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for wordpress wordpress

Be the first to know when new high vulnerabilities affecting wordpress wordpress are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

WordPress / WordPress
6.9.0 < 6.9.5 7.0.0 < 7.0.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662q wordpress.org: https://wordpress.org/news/2026/07/wordpress-7-0-2-release/

Credits

Adam Kues, Assetnote / Searchlight Cyber WordPress Security Team