WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.
| Vendor | Product | Versions |
|---|---|---|
| wordpress | wordpress | 6.9.0, 7.0.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 7.0.1 |
Updated severity from HIGH to CRITICAL per GitHub Security Advisory; expanded affected versions to include 6.9.1-6.9.4 and 7.0.1; added tags indicating unauthenticated attack path and object cache bypass requirement.
Updated severity to CRITICAL, added CVSS estimate of 9.0, and expanded affected versions to include 6.9.4 and 7.0.1.
Initial creation