CVE-2026-63030 in WordPressinfo

Summary

by MITRE • 07/17/2026

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/18/2026

The vulnerability under discussion represents a critical security flaw in WordPress versions prior to 6.9.5 and 7.0.2 that stems from a combination of two distinct but interconnected issues within the REST API framework. This route confusion problem specifically affects the batch endpoint functionality, which allows multiple API requests to be processed in a single HTTP call. The vulnerability exploits how WordPress handles routing for these batch operations, creating an opportunity for attackers to manipulate the request flow and potentially bypass normal access controls.

The technical implementation of this flaw involves the REST API's handling of batch requests where the system fails to properly validate or sanitize input parameters that determine which routes should be executed. This creates a scenario where an attacker can craft malicious requests that cause the system to execute unintended code paths within the WordPress core. The vulnerability is particularly dangerous because it leverages the legitimate batch processing functionality while masking malicious intent through normal API interaction patterns, making detection more challenging for security monitoring systems.

When combined with CVE-2026-60137, which represents an author__not_in WP_Query SQL Injection vulnerability, the impact becomes significantly more severe. The SQL injection component allows attackers to manipulate database queries through the WordPress Query system, potentially enabling them to extract sensitive data, modify database content, or even escalate privileges within the system. This dual vulnerability creates a powerful attack vector where route confusion provides the initial access point for manipulating API endpoints, while the SQL injection capability extends the attack surface to include database-level compromise.

The operational impact of this vulnerability extends beyond simple data theft or modification, as it can potentially lead to full system compromise through remote code execution capabilities. Attackers who successfully exploit this vulnerability can execute arbitrary code on the affected WordPress server, effectively taking control of the entire hosting environment. This risk is particularly concerning given that WordPress powers over 40% of websites globally, making any successful exploitation potentially widespread and impactful across numerous organizations.

Organizations should prioritize immediate patching of affected WordPress installations to address both the route confusion issue in the REST API batch endpoints and the underlying SQL injection vulnerability in the WP_Query system. The mitigation strategy should include comprehensive testing of patched versions to ensure no regression in existing functionality while maintaining strict monitoring for any unauthorized access attempts. Security teams should also implement network-level controls to monitor and restrict access to WordPress REST API endpoints, particularly those handling batch operations, as an additional defensive measure.

This vulnerability aligns with several common attack patterns documented in the ATT&CK framework, specifically targeting the T1071.004 technique for application layer protocol usage and T1566 for credential harvesting through web applications. The CWE mapping for this issue would likely fall under CWE-287 for improper authentication and potentially CWE-89 for SQL injection, depending on the specific exploitation method employed by attackers. Organizations should also consider implementing web application firewalls to help detect and prevent exploitation attempts of these specific API endpoints while maintaining proper audit logging to track all REST API interactions for security analysis purposes.

The broader implications of this vulnerability highlight the importance of robust input validation and proper access control mechanisms within content management systems. WordPress developers and security teams should prioritize thorough code reviews of API endpoint handling, particularly around batch processing functionality, and implement stricter sanitization protocols for all user-supplied inputs that influence system behavior. The incident also underscores the necessity of maintaining updated security practices and the importance of conducting regular vulnerability assessments to identify similar issues before they can be exploited by malicious actors in the wild.

Responsible

WPScan

Reservation

07/17/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

high

Sources

Do you know our Splunk app?

Download it now for free!