CVE-2026-63030

WordPress · WordPress

WordPress is affected by a REST API batch endpoint route confusion issue which, when combined with other vulnerabilities, can lead to SQL injection and Remote Code Execution.

Executive summary

A critical route confusion vulnerability in the WordPress REST API exposes the platform to SQL injection and potential remote code execution.

Vulnerability

This vulnerability involves an interpretation conflict (CWE-436) within the REST API batch endpoint. It allows unauthenticated attackers to manipulate query parameters, which can be chained with other flaws to execute arbitrary code.

Business impact

The ability to achieve Remote Code Execution grants an attacker full control over the WordPress installation and the underlying server. With a CVSS score of 9.8, this represents a critical risk to organizational infrastructure, potentially leading to total data breach and site defacement.

Remediation

Immediate Action: Update WordPress to version 6.9.5 or 7.0.2 or higher immediately to resolve the route confusion and associated injection paths.

Proactive Monitoring: Review access logs for anomalous REST API requests, specifically those targeting batch endpoints or displaying unexpected SQL syntax in query parameters.

Compensating Controls: Utilize a Web Application Firewall to block suspicious REST API traffic and disable unnecessary API endpoints if they are not required for site functionality.

Exploitation status

Public Exploit Available: Yes, multiple public proofs-of-concept exist on GitHub, specifically under the repository name wp2shell.

Analyst recommendation

Given the availability of public exploit code, the risk of compromise is high. Administrators must treat this as a high-priority update and apply the latest WordPress patches across all affected environments immediately.