Cloudflare WAF Mitigates Critical WordPress Vulnerabilities

Cloudflare WAF Mitigates Critical WordPress Vulnerabilities

First seen 17 Jul 2026, 21:52 UTC Blog.Cloudflarewordpress.orgFeeds.4Sysops 87% similarity 70.5

Article Content

Browse articles
ThreatCluster

Cloudflare has implemented new Web Application Firewall (WAF) rules to protect against two critical vulnerabilities in WordPress: an unauthenticated remote code execution (RCE) flaw in the REST API and a SQL injection vulnerability. These vulnerabilities affect WordPress versions 6.8 and above, with the RCE impacting versions from 6.9 onwards. Cloudflare's protections are available to all users, including those on free plans, as long as their traffic is proxied through Cloudflare. The rules were deployed on July 17, 2026, at 17:03 UTC. WordPress has released version 7.0.2 to address these issues, with backports for earlier versions. Users are advised to confirm they are on a patched release while Cloudflare's WAF rules provide temporary protection. The vulnerabilities are classified as high-severity, and the WordPress security team has prioritized automatic updates for affected sites.

Key Points: • Cloudflare deployed WAF rules for two critical WordPress vulnerabilities on July 17, 2026. • The vulnerabilities include an unauthenticated RCE and SQL injection affecting versions 6.8 and above. • WordPress has released version 7.0.2 with fixes, and users are urged to update promptly.

ThreatCluster AI

Timeline

2026-07-17
Cloudflare deploys WAF rules
New WAF rules were implemented to mitigate critical RCE and SQL injection vulnerabilities in WordPress.
Blog.Cloudflare
2026-07-17
WordPress releases version 7.0.2
WordPress released version 7.0.2 to address the identified vulnerabilities, with backports for earlier versions.
Blog.Cloudflare

Community

Browse all →