WordPress 6.9.x < 6.9.5 / 7.0.x < 7.0.2 SQL Injection

critical Web App Scanning Plugin ID 115315

Synopsis

WordPress 6.9.x < 6.9.5 / 7.0.x < 7.0.2 SQL Injection

Description

WordPress versions 6.9.x < 6.9.5 and 7.0.x < 7.0.2 are vulnerable to a REST API batch-route confusion weakness, which combined with an SQL injection issue leads to Remote Code Execution.

Solution

Upgrade to WordPress 6.9.5, 7.10.1 or latest.

See Also

https://wordpress.org/news/2026/07/wordpress-7-0-2-release/

https://wp2shell.com/

Plugin Details

Severity: Critical

ID: 115315

Type: Check Based

Published: 7/18/2026

Updated: 7/18/2026

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.27

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-60137

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Score Source: CVE-2026-60137

CVSS v4

Risk Factor: Critical

Base Score: 10

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/17/2026

Vulnerability Publication Date: 7/16/2026

Reference Information

CVE: CVE-2026-60137, CVE-2026-63030