A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-63030, has been identified in WordPress Core. The flaw allows an attacker with no authentication to execute arbitrary code on a vulnerable website, potentially leading to a full server compromise. The vulnerability impacts a wide range of recent WordPress versions. Security updates have been released, and immediate patching is strongly recommended for all affected sites. Given the widespread use of WordPress, this vulnerability poses a significant threat to millions of websites.
CVE-2026-63030 exists in the WordPress REST API batch processing endpoint. An unauthenticated attacker can send a specially crafted request to this endpoint to trigger the RCE. According to researchers at Searchlight Cyber who discovered the flaw, it is exploitable in a default WordPress installation without any third-party plugins. The attack vector is reachable when a persistent object cache is not in use, which is a common configuration.
While the GitHub Security Advisory rated the flaw as critical, it was initially assigned a CVSS v3.1 score of 7.5. However, security analysts note that unauthenticated RCEs typically warrant a higher score, and the risk should be considered critical regardless of the current score.
The vulnerability affects the following versions of WordPress Core:
As of this report, there are no public reports of active exploitation in the wild. However, due to the unauthenticated nature of the vulnerability and the detailed information available, security experts anticipate that a functional proof-of-concept (PoC) exploit will be developed and released publicly in the near future. This will likely lead to widespread automated scanning and exploitation attempts.
A successful exploit of CVE-2026-63030 results in a complete compromise of the target WordPress site. An attacker can execute arbitrary code on the underlying server, which allows them to:
The following patterns may help identify attempts to exploit this vulnerability:
/wp-json/v1/batch/wp-content/uploads/.php, .sh) in the uploads directory, which could be a sign of a successful RCE./wp-json/v1/batch endpoint. Create alerts for multiple attempts from a single IP or requests containing suspicious strings.wp-content folder to alert on any unauthorized file modifications or creations, which could indicate a web shell has been planted./wp-json/v1/batch endpoint. This can serve as a temporary compensating control.The most critical mitigation is to update WordPress Core to a patched version (6.9.5 or 7.0.2).
Using a Web Application Firewall (WAF) to filter traffic to the vulnerable REST API endpoint can serve as a virtual patch.
A GitHub Security Advisory is published for CVE-2026-63030, and WordPress releases patched versions.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.