CVE-2026-63030

Published Jul 17, 2026

Last updated 18 hours ago

CVSS critical 9.8
WordPress
wp2shell

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-63030 is an unauthenticated remote code execution (RCE) vulnerability affecting WordPress versions 6.9 and later. This flaw allows an attacker to execute arbitrary code through the batch endpoint of the REST API. Exploitation of CVE-2026-63030 does not require any user interaction or authentication, and it is specifically possible when a persistent object cache is not in use. The vulnerability is related to a REST API batch-route confusion and SQL injection issue. Fixes for this vulnerability have been released in WordPress 7.0.2 and 6.9.5.

Description
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.
Source
contact@wpscan.com
NVD status
Received

Insights

Analysis from the Intruder Security Team
Published Jul 17, 2026

This is one of two vulnerabilities in a combined chain that allows unauthenticated SQL injection on any stock WordPress installation. CVE-2026-63030 is the entry point — a route confusion bug in the REST API batch endpoint that bypasses authentication, allowing an attacker to invoke internal handlers without any permission check. When combined with CVE-2026-60137, the full chain gives an unauthenticated attacker the ability to read any data from the WordPress database with a single HTTP request.

WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1 are affected. Update to WordPress 6.9.5 or 7.0.2 immediately. No plugins, user interaction, or non-default configuration is required to exploit. Given WordPress powers approximately 43% of all websites, the attack surface is enormous.

WordPress Core contains a pre-authentication route confusion vulnerability in the REST API batch endpoint that, combined with CVE-2026-60137, allows unauthenticated SQL injection and potential remote code execution.

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-436

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

35

  1. wp2shell: Pre-auth RCE in WordPress Core An anonymous attacker can chain a REST API batch route confusion (CVE-2026-63030) with a WP_Query SQLi (CVE-2026-60137) to achieve remote code execution. Want to understand how the attack chain works and how to protect your WordPress site?

    @WordSec

    18 Jul 2026

    61 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. 🛡️ Vendor Threat Research (Jul 18) CVE-2026-63030 — CVE-2026-63030: wp2shell a Critical: patch CVE-2026-63030: wp2shell a Critical immediately — RCE exposure. Full brief 👇 — PCMedicalist https://t.co/8DG0WN4CDP

    @PCMedicalist

    18 Jul 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. WordPress 7․0․2 released July 17, 2026, patches critical SQL injection flaws CVE-2026-60137 and CVE-2026-63030, affecting multiple versions. https://t.co/OGRajrObOp

    @f1tym1

    18 Jul 2026

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE: CVE-2026-63030 (wp2shell) Companion CVE: CVE-2026-60137 Type: Pre-Auth Blind SQL Injection Affected: WordPress 6.9.0–6.9.4, 7.0.0–7.0.1 Fixed: 6.9.5, 7.0.2+ https://t.co/du8398MSvj https://t.co/nDy3Ino053

    @cyber_advising

    18 Jul 2026

    1619 Impressions

    4 Retweets

    14 Likes

    12 Bookmarks

    1 Reply

    0 Quotes

  5. ‼ #WordPress: Disponibile Proof of Concept (PoC) per le vulnerabilità identificate dalle CVE-2026-60137 e CVE-2026-63030, già sanate dal vendor. Rischio: 🔴 Tipologia: 🔸 Remote Code Execution 🔗https://t.co/ghA7awqqDL ⚠ Importante mantenere aggiornati i sistemi h

    @csirt_it

    18 Jul 2026

    247 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. #wp2shell + CVE-2026-63030 breaks REST batch routing + CVE-2026-60137 injects SQL ---- + https://t.co/HcBushOAsr + https://t.co/QfHvBnALgw + https://t.co/Qz6DI2i7Uw + https://t.co/5bAREpXJpu

    @hahwul

    18 Jul 2026

    390 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    1 Reply

    0 Quotes

  7. 🚨 WordPress'te kimlik doğrulaması gerektirmeyen kritik seviye bir RCE zafiyeti (CVE-2026-63030) tespit edildi. Zafiyet, arka planda CVE-2026-60137 ile bağlantılı olarak çalışıyor. ⚙️ Sistemde kalıcı bir object cache kullanılmadığı durumlarda, doğrudan REST

    @pamircil

    18 Jul 2026

    212 Impressions

    0 Retweets

    8 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  8. What happens if you ask Kimi K3 to develop exploits for > CVE-2026-63030 breaks REST batch routing > CVE-2026-60137 injects SQL Anyone?

    @RichardGarwe

    18 Jul 2026

    83 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 CRITICAL - WordPress Core Unauthenticated Remote Code Execution (CVE-2026-63030 / CVE-2026-60137) WordPress core is vulnerable to a critical zero-precondition RCE exploit chain dubbed "wp2shell". The root cause combines a REST API batch-route confusion (CVE-2026-63030) with

    @UpwindMDR

    18 Jul 2026

    183 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. #WordPress #Seguridad Si usas WordPress 6.9, 6.9 o 7.0, actualiza a las últimas versiones disponibles. Hay unos parches de seguridad que corrigen 2 elementos críticos (RCE / SQLi). - CVE-2026-60137: corrigen: 6.8.6 - 6.9.5 - 7.0.2 - CVE-2026-63030: corrigen: 6.9.5 - 7.0.2

    @JavierCasares

    18 Jul 2026

    151 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Pokud jste ještě nektualizovali WordPress tak zbystřee, jsou tam dvě závažné chyby přímo v jádře. CVE-2026-60137: SQL injection a CVE-2026-63030: Unauthenticated remote code execution. https://t.co/yVk4KDcD6n

    @365tipu

    18 Jul 2026

    207 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Non-destructive detector + Docker lab for wp2shell (CVE-2026-63030 REST /batch/v1 route confusion + CVE-2026-60137 author__not_in SQLi) in WordPress core 6.9.0-6.9.4 / 7.0.0-7.0.1 https://t.co/eB9AVpUfSD

    @SajjadSiam01

    18 Jul 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Wp2Shell Critical pre authentication remote code execution (RCE) in WordPress Core (CVE-2026-63030 and CVE-2026-60137). It allows anonymous attackers to execute arbitrary code on a default WordPress installation without requiring user login or plugins. https://t.co/ujtN7Jwn1j

    @7h3h4ckv157

    18 Jul 2026

    2065 Impressions

    4 Retweets

    19 Likes

    10 Bookmarks

    0 Replies

    0 Quotes

  14. Wp2Shell Critical pre-authentication remote code execution (RCE) vulnerability in WordPress Core (CVE-2026-63030 and CVE-2026-60137). It allows anonymous attackers to execute arbitrary code on a default WordPress installation without requiring user login or plugins.

    @7h3h4ckv157

    18 Jul 2026

    525 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Non-destructive detector + Docker lab for wp2shell (CVE-2026-63030 REST /batch/v1 route confusion + CVE-2026-60137 author__not_in SQLi) in WordPress core 6.9.0-6.9.4 / 7.0.0-7.0.1 https://t.co/uGxtDZtA7j

    @Dinosn

    18 Jul 2026

    6950 Impressions

    14 Retweets

    82 Likes

    51 Bookmarks

    4 Replies

    0 Quotes

  16. It's Friday, so of course we can't have nice things! Initial technical analysis of #wp2shell CVE-2026-63030 and CVE-2026-60137 from the @VulnCheckAI research team — so far, it could be worse (but it's still not great): https://t.co/dLROB0N2ZD

    @catc0n

    18 Jul 2026

    1061 Impressions

    4 Retweets

    15 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  17. 🧠 Engineering & Research Digest (Jul 17) CVE-2026-63030 — CVE-2026-63030: wp2shell a Critical: patch CVE-2026-63030: wp2shell a Critical immediately — RCE exposure. Full digest 👇 — PCMedicalist Full digest 👇 via PCMedicalist

    @PCMedicalist

    18 Jul 2026

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. RCE in WordPress CVE-2026-63030/CVE-2026-60137 https://t.co/ZKepZbNKbr Credit: @wordpressdotcom https://t.co/ngNGhcKzFh

    @CoyEmerald1

    17 Jul 2026

    305 Impressions

    2 Retweets

    9 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  19. CVE-2026-63030 (RCE, Critical) and CVE-2026-60137 (SQLi, High) hit WordPress 6.8+; Cloudflare WAF rules went live at 17:03 UTC July 17, blocking exploitation for all proxied customers > Cloudflare deployed WAF rules for two WordPress vulnerabilities disclosed July 17: an

    @0J0BIT

    17 Jul 2026

    144 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 🚨Searchlight Cyber's research team has found a pre-authentication RCE in WordPress Core. affected versions: 6.9.0–6.9.4, 7.0.0–7.0.1 No preconditions, exploitable by an anonymous user on a stock install with no plugins. CVE-2026-63030/CVE-2026-60137 https://t.co/LKa1

    @ITSecurityguard

    17 Jul 2026

    39594 Impressions

    84 Retweets

    290 Likes

    172 Bookmarks

    10 Replies

    12 Quotes