Critical RCE and SQL Injection Vulnerabilities in WordPress Disclosed

Critical RCE and SQL Injection Vulnerabilities in WordPress Disclosed

First seen 17 Jul 2026, 21:52 UTC Blog.CloudflareFeeds.4SysopsGround.Newslabs.beazley.securitywordpress.org+4 88% similarity 74.0

Article Content

Browse articles
ThreatCluster

On July 17, 2026, WordPress disclosed two critical vulnerabilities, CVE-2026-63030 and CVE-2026-60137, affecting its core software. CVE-2026-63030 is a remote code execution (RCE) vulnerability in the REST API, while CVE-2026-60137 is a SQL injection flaw. Both vulnerabilities can be exploited by unauthenticated attackers on default installations, posing a significant risk due to the widespread use of WordPress. WordPress has released patches in version 7.0.2, and Cloudflare has deployed Web Application Firewall (WAF) protections to mitigate the risks. Organizations are strongly advised to apply patches immediately or implement WAF rules to protect their sites. As of the latest reports, there is no known exploitation in the wild, but the potential for reverse engineering of the patches exists.

Key Points: • Two critical vulnerabilities in WordPress disclosed: CVE-2026-63030 (RCE) and CVE-2026-60137 (SQLi). • Patches were released in WordPress version 7.0.2, with forced updates enabled for affected sites. • Cloudflare deployed WAF protections to mitigate risks for all customers, including free plan users.

ThreatCluster AI

Timeline

2026-07-17
WordPress discloses critical vulnerabilities
WordPress announced CVE-2026-63030 and CVE-2026-60137, affecting its core software and enabling remote code execution and SQL injection.
labs.beazley.security
2026-07-17
Cloudflare deploys WAF protections
Cloudflare released new WAF rules to protect WordPress sites from the disclosed vulnerabilities, effective for all customers.
Blog.Cloudflare
2026-07-17
Cloudflare WAF blocks vulnerabilities
Cloudflare confirmed the deployment of WAF rules to block attempts to exploit the critical vulnerabilities in WordPress.
Feeds.4Sysops
2026-07-17
CVE-2026-60137 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-17
CVE-2026-63030 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-18
WordPress 7.0.2 security release
WordPress released version 7.0.2 to address the critical vulnerabilities, enabling forced updates for affected sites.
wordpress.org

Community

Browse all →