WordPress REST API unauth RCE (CVE-2026-63030) [PoC]
CVE-2026-63030
CVE-2026-63030: WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 REST API route confusion leads to unauthenticated SQLi and RCE (CVSS 9.8). Update to 6.9.5 or 7.0.2 immediately.
Exploitation confirmed - public proof-of-concept - CVE-2026-63030 is a critical unauthenticated remote code execution (RCE) vulnerability in WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 that lets remote attackers perform SQL injection and execute arbitrary PHP code on the server. Patched in versions 6.9.5 and 7.0.2 - update immediately.
Overview
CVE-2026-63030 is a REST API batch endpoint route confusion issue in the core WordPress REST API. The vulnerability affects WordPress 6.9 versions prior to 6.9.5 and 7.0 versions prior to 7.0.2. An attacker exploits this route confusion to bypass authentication checks on the batch processing endpoint, then chains it with the author__not_in WP_Query SQL injection (CVE-2026-60137) to execute arbitrary SQL queries. From there, the attacker can escalate to full remote code execution on the WordPress server, including the ability to read, modify, or delete any data, install malicious plugins, or compromise the hosting environment.
The vulnerability requires no authentication, no user interaction, and is remotely exploitable over the network. The CVSS 9.8 score reflects the maximum impact: complete confidentiality, integrity, and availability compromise from a single network request.
What is the Impact?
Successful exploitation grants the attacker full administrative control of the WordPress instance and the underlying server. SQL injection via CVE-2026-60137 allows extraction of the full WordPress user database (including password hashes), session tokens, and configuration secrets. RCE allows the attacker to execute arbitrary PHP code, install backdoors, pivot to other systems, or launch further attacks from the compromised server. Any site running an affected version is at risk of complete takeover.
Remediation
WordPress has released patches in versions 6.9.5 and 7.0.2. Upgrading to these patched versions is the only complete fix.
Recommended actions:
- Update immediately - Upgrade all WordPress installations to 6.9.5 (for the 6.9.x branch) or 7.0.2 (for the 7.0.x branch). This patches both CVE-2026-63030 and the underlying CVE-2026-60137 SQL injection.
- Verify patch application - Confirm the update was applied to all sites, including multisite installations and staging/development environments.
- Monitor for compromise - Review server logs for unusual SQL queries or REST API calls targeting batch endpoints. Check for suspicious user accounts, unknown plugins, or file modifications.
- Limit REST API exposure - As a defense-in-depth measure, restrict REST API access to trusted IP ranges where possible and disable the batch endpoint if not required.
CISA has not confirmed active exploitation - treat this as a potential attack vector and prioritize patching and for vulnerabilities with public exploit code.
Security Insight
CVE-2026-63030 follows a pattern seen in several recent WordPress core and plugin vulnerabilities: the REST API remains one of the most frequently exploited attack surfaces in the WordPress ecosystem. This vulnerability is particularly dangerous because it bypasses authentication entirely and chains with a separate SQL injection issue. The fact that an attacker needs no credentials and no user interaction makes this a near-instant compromise vector for unpatched sites. For security teams managing large WordPress fleets, this should reinforce the importance of treating REST API route handlers with the same security rigor as direct database queries - and ensuring that batch endpoints are never assumed to be safe from identity confusion.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| 47Cid/wp2shell-lab Educational PoC + lab for CVE-2026-63030 + CVE-2026-60137: pre-auth SQLi in WordPress core via REST batch-route confusion | ★ 4 |
| dinosn/wp2shell-lab Non-destructive detector + Docker lab for wp2shell (CVE-2026-63030 REST /batch/v1 route confusion + CVE-2026-60137 author__not_in SQLi) in WordPress core 6.9.0-6.9.4 / 7.0.0-7.0.1 | ★ 2 |
| attackercan/wp2shell-poc2 CVE-2026-63030 | ★ 0 |
| Senanfurkan/wordpress-cve-2026-63030 Pre-auth RCE in WordPress Core via REST API batch route confusion + WP_Query SQLi (CVE-2026-63030 / CVE-2026-60137). Detection PoC. | ★ 0 |
| ekomsSavior/wp2shell CVE-2026-63030 (RCE) + CVE-2026-60137 (SQLi) | ★ 0 |
Showing 5 of 5 known references. Source: nomi-sec/PoC-in-GitHub.
Nuclei Detection Templates
Detection template available — your exposure is being scanned
The templates below are YAML signatures for the Nuclei scanner from ProjectDiscovery. They are not exploit code — they are detection rules that confirm whether a target is vulnerable. The presence of a Nuclei template means every bug bounty hunter, AppSec team, red team, and reconnaissance pipeline on the public internet is actively probing for this CVE.
Assume your exposed instances have already been touched. Patch immediately even if no exploitation is observed yet — fingerprinting precedes exploitation by days at most.
| Template | Source |
|---|---|
CVE-2026-63030.yaml | View YAML |
1 Nuclei template indexed for this CVE. Source: projectdiscovery/nuclei-templates.
Related Advisories
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowin...
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE....
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application depl...
Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow defini...