Attackers can seize control of WordPress sites by exploiting two critical vulnerabilities, tracked as CVE-2026-63030 and CVE-2026-60137, which can be chained to achieve pre-authentication remote code execution on default WordPress installations running versions 6.9.x and 7.0.x. The flaws, introduced in WordPress 6.9, include a REST API batch-route confusion bug and a high-severity issue, allowing attackers to gain unauthorized access without authentication. Public proof-of-concept exploits are now available for these vulnerabilities, expanding the active attack surface. The disclosure of CVE-2026-63030 is particularly notable, as it introduces a new attack vector1. As a result, administrators should prioritize patching and monitoring their WordPress installations based on their exposure and evidence of exploitation. This vulnerability chain poses a significant risk to WordPress site security, making prompt action necessary to prevent potential takeovers.