Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4045 articles · 176782 vulns · 36/41 feeds (7d)
← Back to list
7.5
CVE-2026-63030KEVEXPLOITEDPATCHED
wordpress · wordpress

WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution

Description

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.

Affected Products

VendorProductVersions
wordpresswordpress6.9.0, 7.0.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 7.0.1

References

  • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662q(vdb-entry, technical-description)
  • https://wordpress.org/news/2026/07/wordpress-7-0-2-release/(release-notes, vendor-advisory)

Related News (2 articles)

Tier C
Rapid7 Blog3h ago
CVE-2026-63030: wp2shell a Critical Remote Code Execution Vulnerability in WordPress Core
→ No new info (linked only)
Tier C
VulDB5h ago
CVE-2026-63030 | WordPress up to 6.9.4/7.0.1 REST API Batch Endpoint interpretation conflict
→ No new info (linked only)
CVSS 3.17.5 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA KEV✅ Yes
Actively exploited✅ Yes
Patch available
6.9.57.0.2
PublishedJul 17, 2026
Last enriched2h agov3
Tags
unauthenticateddefault-installationobject-cache-bypass
Trending Score125🔥
Source articles3
Independent2
Info Completeness8/14
Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-60137
WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query
Trending: 44
HIGHCVE-2026-9700EXP
Eventer <= 4.4.2 - Unauthenticated SQL Injection via 'code' Parameter
Trending: 13
MEDIUMCVE-2026-12097EXP
User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification
Trending: 12
CRITICALCVE-2026-6382EXP
Multiple elFinder Plugins - Authenticated OS Command Injection
Trending: 9
HIGHCVE-2026-8441EXP
WP Review Slider Pro <= 12.7.2 - Unauthenticated SQL Injection via 'notinstring' Parameter
Trending: 6

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 17, 2026
Added to CISA KEV
Jul 17, 2026
Discovered by ZDM
Jul 17, 2026
Updated: severity, cvssEstimate, affectedVersions
Jul 17, 2026
Actively Exploited
Jul 17, 2026
Patch Available
Jul 17, 2026
Updated: severity, affectedVersions, tags
Jul 17, 2026

Version History

v3
Last enriched 2h ago
v3Tier C2h ago

Updated severity from HIGH to CRITICAL per GitHub Security Advisory; expanded affected versions to include 6.9.1-6.9.4 and 7.0.1; added tags indicating unauthenticated attack path and object cache bypass requirement.

severityaffectedVersionstags
via Rapid7 Blog
v2Tier C5h ago

Updated severity to CRITICAL, added CVSS estimate of 9.0, and expanded affected versions to include 6.9.4 and 7.0.1.

severitycvssEstimateaffectedVersions
via VulDB
v15h ago

Initial creation