✅CVE-2026-63030: Unauthenticated SQL injection in WordPress core chaining to RCE. No credentials, no configuration. One endpoint: POST /wp-json/batch/v1.
The REST batch endpoint builds two parallel arrays ($matches and $validation) that fall out of step when a sub-request path fails wp_parse_url(). A sub-request gets dispatched under a different handler’s context. The PoC nests this route confusion twice: first to bypass the method allow-list, then to reach a blind SQL injection via author_exclude in WP_Query, which interpolates the value into SQL as a string.
The chain:
boolean/time-based blind SQLi → extract admin password hash → crack → plugin upload → command execution. Interactive shell included.
Affects WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1. Fixed in 6.9.5 and 7.0.2. Python 3.8+, zero dependencies.
Mitigation:
block /wp-json/batch/v1 and rest_route=/batch/v1 at the edge, or require auth via rest_pre_dispatch filter.
https://github.com/Icex0/wp2shell-poc
