Intel

AIKIDO-2026-696183

johnpbloch/wordpress-core is vulnerable to Remote Code Execution (RCE)

Remote Code Execution (RCE)CVE-2026-63030 Published Yesterday

97

Critical Risk

This Affects:

PHPjohnpbloch/wordpress-core
6.9.0 - 6.9.4
Fixed in 6.9.5
7.0.0 - 7.0.1
Fixed in 7.0.2
Are you affected? Scan for Free

TL;DR

The REST API /batch/v1 endpoint has a batch-route confusion issue that, combined with SQL injection, lets an unauthenticated attacker reach remote code execution on a stock WordPress install with no plugins required. An anonymous request to the batch API can therefore take over the site. The fix hardens batch-route handling and closes the SQL injection path that enabled the RCE.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and the site does not use a persistent object cache.

Background info

johnpbloch/wordpress-core is vulnerable to Remote Code Execution (RCE) in versions 6.9.0 - 6.9.4 and 7.0.0 - 7.0.1.

How to fix this

Upgrade the johnpbloch/wordpress-core library to the patch version.