- Product: WordPress
- Vulnerabilities: 2 flaws (CVE-2026-60137, CVE-2026-63030)
- Highest severity: 9.1 (Critical · CVSSv3)
- Worst impact: < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query
- Status: No confirmed exploitation yet; patches available
- Action: Update to 6.8.6, 6.9.5, 7.0.2 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-60137 | 9.1 | CWE-89 | 6.8.6, 6.9.5, 7.0.2 | Not exploited |
| CVE-2026-63030 | 7.5 | CWE-436 | 6.9.5, 7.0.2 | Not exploited |
TL;DR
WordPress shipped 7.0.2 on July 17, 2026 to fix a critical flaw chain. The bug is a WordPress pre-auth RCE tracked as CVE-2026-63030, built on an SQL injection issue, CVE-2026-60137. Technical details and a working proof-of-concept are now public.
Why it matters
WordPress runs a large share of the web. Searchlight Cyber estimates over 500 million sites use it. This WordPress pre-auth RCE needs no login and no plugins, so a stock install is enough to be at risk.
The exposure grew this week. Searchlight published the vulnerability details, and a separate researcher released PoC exploit code on GitHub. WordPress.org also forced auto-updates, which signals how seriously the team views it.
How the attack works
The chain abuses the unauthenticated REST batch endpoint at /batch/v1. That endpoint runs several sub-requests in one call. A parsing quirk knocks two internal arrays out of step, so one sub-request runs under another’s handler. Searchlight calls this route confusion.
Nesting the trick twice bypasses the method allow-list and slips a rogue parameter into WP_Query. That parameter reaches SQL as a string. The result is a blind SQL injection reachable before authentication. Searchlight’s wp2shell disclosure and site checker explains the flaw and lets admins test exposure.
Exploitation status
No in-the-wild exploitation has been confirmed. However, the risk is real, because a public proof-of-concept for CVE-2026-63030 now exists. The tool confirms the injection and can read the database, including admin password hashes.
One limit deserves emphasis. Searchlight has not published the final jump from SQL injection to full code execution. That last step depends on cracking a recovered hash to reach admin, then uploading a plugin.
Affected versions
- CVE-2026-63030 (the RCE chain): WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1
- CVE-2026-60137 (SQL injection): WordPress 6.8 and higher
- Versions before 6.8 are not affected by the SQL injection, and versions before 6.9 escape the RCE chain.
Patch and mitigation steps
Update now. WordPress 7.0.2 carries the fix, and 6.9.5 covers the 6.9 branch. Sites on older lines can use 6.8.6. The official WordPress 7.0.2 release lists every backport.
Cannot patch yet? Block both /wp-json/batch/v1 and the rest_route=/batch/v1 parameter at your WAF. You can also require authentication for the batch endpoint. Treat these as temporary steps, not a substitute for the update.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.