Overview
- Security researcher Adam Kues of Searchlight Cyber reported the flaw and WordPress released emergency fixes in versions 6.9.5 and 7.0.2 on Friday to close the vulnerability chain.
- The flaw is a two-part chain: a REST API batch-route confusion (CVE-2026-63030) combined with an SQL injection in WP_Query (CVE-2026-60137) that can lead to unauthenticated remote code execution on default installs.
- Public proof-of-concept exploits appeared after the patch and security firms have reported early signs of in-the-wild exploitation, which raises the urgency for admins to update now.
- WordPress enabled forced automatic updates for supported sites but administrators must still verify their running version because auto-updates can be disabled and some scanners initially lacked CVE-based detection.
- Short-term protections include blocking anonymous access to /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF, disabling unauthenticated REST access, or installing a blocker plugin, but patching remains the definitive fix.