CVE-2026-63030
Received Received - Intake

WordPress REST API Batch Endpoint Route Confusion Leading to SQL Injection

Vulnerability report for CVE-2026-63030, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: WPScan

Description

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wordpress wordpress to 6.9.5 (exc)
wordpress wordpress to 7.0.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects WordPress versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. It involves a REST API batch endpoint route confusion issue combined with an SQL injection flaw (CVE-2026-60137). Together, these issues can allow an attacker to perform SQL injection and achieve remote code execution.

Detection Guidance

To detect this vulnerability, check your WordPress version. If you are running versions 6.9.0 through 6.9.4 or 7.0.0 through 7.0.1, your system is vulnerable. Use commands like 'wp core version' in the WordPress directory or check the version in the admin dashboard under 'Updates'.

Impact Analysis

An attacker could exploit this vulnerability to execute arbitrary code on your WordPress site, potentially taking full control of it. This could lead to data theft, website defacement, or further attacks against visitors.

Compliance Impact

This vulnerability could lead to unauthorized access and data breaches, violating GDPR and HIPAA requirements for data protection and security. Non-compliance may result in legal penalties and reputational damage.

Mitigation Strategies

Update WordPress to version 6.9.5, 7.0.2, or 7.1 beta2 or later immediately to patch the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63030. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart