Critical (9.8)

WordPress REST API unauth RCE (CVE-2026-63030) [PoC]

CVE-2026-63030

CVE-2026-63030: WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 REST API route confusion leads to unauthenticated SQLi and RCE (CVSS 9.8). Update to 6.9.5 or 7.0.2 immediately.

Exploitation confirmed - public proof-of-concept - CVE-2026-63030 is a critical unauthenticated remote code execution (RCE) vulnerability in WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 that lets remote attackers perform SQL injection and execute arbitrary PHP code on the server. Patched in versions 6.9.5 and 7.0.2 - update immediately.

Overview

CVE-2026-63030 is a REST API batch endpoint route confusion issue in the core WordPress REST API. The vulnerability affects WordPress 6.9 versions prior to 6.9.5 and 7.0 versions prior to 7.0.2. An attacker exploits this route confusion to bypass authentication checks on the batch processing endpoint, then chains it with the author__not_in WP_Query SQL injection (CVE-2026-60137) to execute arbitrary SQL queries. From there, the attacker can escalate to full remote code execution on the WordPress server, including the ability to read, modify, or delete any data, install malicious plugins, or compromise the hosting environment.

The vulnerability requires no authentication, no user interaction, and is remotely exploitable over the network. The CVSS 9.8 score reflects the maximum impact: complete confidentiality, integrity, and availability compromise from a single network request.

What is the Impact?

Successful exploitation grants the attacker full administrative control of the WordPress instance and the underlying server. SQL injection via CVE-2026-60137 allows extraction of the full WordPress user database (including password hashes), session tokens, and configuration secrets. RCE allows the attacker to execute arbitrary PHP code, install backdoors, pivot to other systems, or launch further attacks from the compromised server. Any site running an affected version is at risk of complete takeover.

Remediation

WordPress has released patches in versions 6.9.5 and 7.0.2. Upgrading to these patched versions is the only complete fix.

Recommended actions:

  • Update immediately - Upgrade all WordPress installations to 6.9.5 (for the 6.9.x branch) or 7.0.2 (for the 7.0.x branch). This patches both CVE-2026-63030 and the underlying CVE-2026-60137 SQL injection.
  • Verify patch application - Confirm the update was applied to all sites, including multisite installations and staging/development environments.
  • Monitor for compromise - Review server logs for unusual SQL queries or REST API calls targeting batch endpoints. Check for suspicious user accounts, unknown plugins, or file modifications.
  • Limit REST API exposure - As a defense-in-depth measure, restrict REST API access to trusted IP ranges where possible and disable the batch endpoint if not required.

CISA has not confirmed active exploitation - treat this as a potential attack vector and prioritize patching and for vulnerabilities with public exploit code.

Security Insight

CVE-2026-63030 follows a pattern seen in several recent WordPress core and plugin vulnerabilities: the REST API remains one of the most frequently exploited attack surfaces in the WordPress ecosystem. This vulnerability is particularly dangerous because it bypasses authentication entirely and chains with a separate SQL injection issue. The fact that an attacker needs no credentials and no user interaction makes this a near-instant compromise vector for unpatched sites. For security teams managing large WordPress fleets, this should reinforce the importance of treating REST API route handlers with the same security rigor as direct database queries - and ensuring that batch endpoints are never assumed to be safe from identity confusion.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository Stars
47Cid/wp2shell-lab

Educational PoC + lab for CVE-2026-63030 + CVE-2026-60137: pre-auth SQLi in WordPress core via REST batch-route confusion

★ 4
dinosn/wp2shell-lab

Non-destructive detector + Docker lab for wp2shell (CVE-2026-63030 REST /batch/v1 route confusion + CVE-2026-60137 author__not_in SQLi) in WordPress core 6.9.0-6.9.4 / 7.0.0-7.0.1

★ 2
attackercan/wp2shell-poc2

CVE-2026-63030

★ 0
Senanfurkan/wordpress-cve-2026-63030

Pre-auth RCE in WordPress Core via REST API batch route confusion + WP_Query SQLi (CVE-2026-63030 / CVE-2026-60137). Detection PoC.

★ 0
ekomsSavior/wp2shell

CVE-2026-63030 (RCE) + CVE-2026-60137 (SQLi)

★ 0

Showing 5 of 5 known references. Source: nomi-sec/PoC-in-GitHub.

Nuclei Detection Templates

Detection template available — your exposure is being scanned

The templates below are YAML signatures for the Nuclei scanner from ProjectDiscovery. They are not exploit code — they are detection rules that confirm whether a target is vulnerable. The presence of a Nuclei template means every bug bounty hunter, AppSec team, red team, and reconnaissance pipeline on the public internet is actively probing for this CVE.

Assume your exposed instances have already been touched. Patch immediately even if no exploitation is observed yet — fingerprinting precedes exploitation by days at most.

Template Source
CVE-2026-63030.yaml View YAML

1 Nuclei template indexed for this CVE. Source: projectdiscovery/nuclei-templates.

Related Advisories

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.