CVE-2026-63030
WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.
| Vendor | wordpress |
| Product | wordpress |
| Ecosystems | |
| Industries | WebMedia |
| Published | Jul 17, 2026 |
| Last Updated | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for wordpress wordpress
Be the first to know when new high vulnerabilities affecting wordpress wordpress are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
WordPress / WordPress
6.9.0 < 6.9.5 7.0.0 < 7.0.2
References
Credits
Adam Kues, Assetnote / Searchlight Cyber WordPress Security Team