WordPress Core Vulnerability Chain Enables Unauthenticated Remote Code Execution

Security researchers have disclosed a pair of WordPress core vulnerabilities that can be chained to execute code without authentication. The issues affect core installations, meaning sites running no...

Security researchers have disclosed a pair of WordPress core vulnerabilities that can be chained to execute code without authentication. The issues affect core installations, meaning sites running no third-party plugins may also be at risk.

The vulnerabilities are tracked as CVE-2026-63030 and CVE-2026-60137. The first involves confusion in WordPress’s REST API batch-processing route, while the second is a SQL injection affecting the author__not_in parameter used by WP_Query. In combination, the flaws allow an attacker to send an anonymous request that reaches the vulnerable database query and potentially leads to remote code execution.

Affected versions

  • WordPress 6.8.0 through 6.8.5: affected by the SQL injection; fixed in 6.8.6.
  • WordPress 6.9.0 through 6.9.4: affected by the full attack chain; fixed in 6.9.5.
  • WordPress 7.0.0 and 7.0.1: affected by the full chain; fixed in 7.0.2.
  • WordPress 7.1 beta 2 includes both fixes.

Researcher Adam Kues of Assetnote reported the REST API issue through WordPress’s HackerOne program. Separate researchers reported the SQL injection. Technical details and a working proof of concept have since been published, increasing the likelihood that attackers will attempt to reproduce the exploit.

WordPress rates the chained vulnerability as critical, although its associated CVE score is 7.5. The SQL injection alone has received a critical severity rating. No confirmed exploitation had been reported as of July 18, and the issue was not listed in CISA’s Known Exploited Vulnerabilities catalog at that time.

Administrators should verify their installed version and update to a fixed release as soon as possible rather than rely on automatic updates. The code-execution path reportedly requires the absence of a persistent object cache, but Redis or Memcached should not be treated as a substitute for patching.

Until updates are applied, organizations can consider blocking anonymous access to /wp-json/batch/v1 and the equivalent rest_route=/batch/v1 path at a web application firewall. Disabling unauthenticated REST API access or using a temporary filter to reject anonymous batch requests are additional options, though these measures may disrupt legitimate integrations and do not eliminate the underlying SQL injection.