Feeds.4Sysops
Critical RCE and SQL Injection Vulnerabilities in WordPress Disclosed
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
On July 17, 2026, WordPress disclosed two critical vulnerabilities, CVE-2026-63030 and CVE-2026-60137, affecting its core software. CVE-2026-63030 is a remote code execution (RCE) vulnerability in the REST API, while CVE-2026-60137 is a SQL injection flaw. Both vulnerabilities can be exploited by unauthenticated attackers on default installations, posing a significant risk due to the widespread use of WordPress. WordPress has released patches in version 7.0.2, and Cloudflare has deployed Web Application Firewall (WAF) protections to mitigate the risks. Organizations are strongly advised to apply patches immediately or implement WAF rules to protect their sites. As of the latest reports, there is no known exploitation in the wild, but the potential for reverse engineering of the patches exists.
Key Points: • Two critical vulnerabilities in WordPress disclosed: CVE-2026-63030 (RCE) and CVE-2026-60137 (SQLi). • Patches were released in WordPress version 7.0.2, with forced updates enabled for affected sites. • Cloudflare deployed WAF protections to mitigate risks for all customers, including free plan users.