External risk intelligence

WordPress REST API Route Confusion and SQL Injection Leading to RCE

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-63030

The vulnerability affects the REST API of WordPress, a platform designed as a public-facing web application. WordPress sites are typically deployed as internet-accessible endpoints, making the REST API directly reachable from the public internet by design in normal operational configurations.

SQL Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in WordPress that could allow unauthenticated attackers to execute arbitrary code on affected systems by exploiting a flaw in the REST API. This issue, when combined with another vulnerability, presents a significant risk if left unaddressed.

  • API flaw allows code execution.
  • Critical flaw impacts widely used software.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit a flaw in WordPress's REST API to gain unauthorized access and potentially execute code remotely. This is achieved by exploiting a route confusion vulnerability that, when combined with a separate SQL injection flaw, allows an attacker to manipulate database queries. If successful, this could lead to significant compromise of the affected WordPress installation.

  • No authentication required.
  • REST API batch endpoint.
  • SQL injection and remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A route confusion issue in the WordPress REST API, when combined with another vulnerability, could allow an unauthenticated attacker to inject SQL commands. If exploited, this could lead to remote code execution on the affected WordPress sites.

  • Sensitive data on the server.
  • SQL injection via batch endpoint.
  • Remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners, infrastructure teams, and security teams are likely responsible for addressing this vulnerability. The first practical step is to identify all instances of the affected technology, assess their reachability and criticality, and confirm ownership before planning remediation.

  • Application owners should own the issue.
  • Verify public-facing WordPress instances first.
  • Plan remediation based on confirmed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is WordPress?

WordPress is a popular content management system used to build and maintain websites. It powers a vast portion of the internet by allowing users to create, manage, and publish digital content through an accessible interface. Under the hood, it uses the REST API to handle communication between the web browser and the server, enabling dynamic features like post updates or data fetching.

What is the vulnerability in CVE-2026-63030?

This vulnerability is categorized as CWE-436, or ASP.NET Improper Handling of Parameters (often generalized as route confusion). It occurs when the REST API fails to correctly identify the intended path or function, allowing requests to be routed incorrectly. In this case, that confusion acts as a gateway that, when combined with a separate SQL injection flaw, enables unauthorized data manipulation and arbitrary code execution.

How does an attacker trigger this issue?

The attack path involves sending a specially crafted request to the REST API batch endpoint. Because this is a route confusion flaw, it requires a specific sequence of operations that tricks the API into processing parameters it should otherwise reject. Importantly, standard, non-malicious API usage—such as normal site navigation or typical administrative updates—does not trigger this vulnerability.

Is my site at risk if it runs WordPress?

If you are using an affected version of WordPress, your risk level is elevated. According to Halo Surface Signal, WordPress sites are typically designed to be internet-facing by default, meaning the REST API is reachable from the public web. If your instance is exposed to the internet, it can be targeted without needing any pre-existing user account or authentication credentials.

What should I do to protect my WordPress site?

Your first step is to perform an inventory of all WordPress installations you manage to identify which ones are running version 6.9.x or 7.0.x. Once identified, prioritize the most accessible instances—specifically those reachable from the public internet—and prepare to update them to the patched versions provided by the vendor. Coordinate with your team to verify ownership so that remediation can be applied systematically.

References