Re: How the hell
WP still uses its own cruddy SQL preparation layer (wp-includes/wp-db.php). It's ingrained in thousands of popular themes & plugins. They can't change it without breaking 25% of the internet.
I know for a fact that there were sqli vulns in recent WP versions, likely unrelated to the REST API and therefore still unpatched. I looked for them myself without success. All I can is, this code is a steaming pile of crap.
The only solution is to nuke Wordpress -->