The first ever poc of the pre-auth timing-based SQL injection PoC for the WordPress REST API batch-route confusion chain (CVE-2026-63030 + CVE-2026-60137); still working on command exec
Affected: WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1. Fixed in 6.9.5 and 7.0.2.
python3 poc.py https://target.example
python3 poc.py https://target.example 'SELECT DATABASE()'Research: Searchlight Cyber · Aikido · Aikido Intel · WordPress