This is one of two vulnerabilities in a combined chain that allows unauthenticated SQL injection on any stock WordPress installation. CVE-2026-63030 is the entry point — a route confusion bug in the REST API batch endpoint that bypasses authentication, allowing an attacker to invoke internal handlers without any permission check. When combined with CVE-2026-60137, the full chain gives an unauthenticated attacker the ability to read any data from the WordPress database with a single HTTP request.
WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1 are affected. Update to WordPress 6.9.5 or 7.0.2 immediately. No plugins, user interaction, or non-default configuration is required to exploit. Given WordPress powers approximately 43% of all websites, the attack surface is enormous.
WordPress Core contains a pre-authentication route confusion vulnerability in the REST API batch endpoint that, combined with CVE-2026-60137, allows unauthenticated SQL injection and potential remote code execution.
