CVE-2026-63030: WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue...
HIGH
CVSS 0.0
Exploit Available
5 PoC
Published: July 17, 2026 | Last Modified: July 17, 2026
Description
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.
Ghostwire Analysis — What This Means Practically
- 5 proof-of-concept exploits available on GitHub. Public exploit code lowers the barrier for both researchers and attackers.
- 4 articles from independent security sources have covered this vulnerability, indicating significant industry attention.
This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.
Proof-of-Concept Exploits (5)
Security Coverage (4 articles)
References