Critical RCE Vulnerability in WordPress Core Requires Immediate Patch

Critical RCE Vulnerability in WordPress Core Requires Immediate Patch

First seen 18 Jul 2026, 05:24 UTC Aikido.DevSlcyberCybersecuritynewswordpress.org 83% similarity 75.0

Article Content

Browse articles
ThreatCluster

On July 17, 2026, WordPress released version 7.0.2 to address a critical unauthenticated remote code execution (RCE) vulnerability, affecting over 500 million websites. The flaw, identified by Adam Kues of Searchlight Cyber, stems from a REST API batch-route confusion that allows anonymous attackers to exploit stock installations without plugins. Forced auto-updates have been enabled for affected sites due to the vulnerability's severity. Users are advised to update immediately to version 7.0.2 or 6.9.5 if on the 6.9 branch. Temporary mitigation measures include blocking access to the REST API batch endpoint. This incident marks the second SQL injection issue in a single WordPress core release, highlighting ongoing security challenges within the platform.

Key Points: • A critical RCE vulnerability in WordPress affects over 500 million sites. • Users must update to version 7.0.2 or 6.9.5 immediately to mitigate risks. • Temporary measures include blocking access to specific REST API endpoints.

ThreatCluster AI

Timeline

2026-07-17
WordPress 7.0.2 released
An emergency security update was issued to fix a critical unauthenticated RCE vulnerability affecting WordPress core.
Aikido.Dev
2026-07-17
Vulnerability discovered by Searchlight Cyber
Searchlight Cyber reported a pre-authentication RCE vulnerability in WordPress Core, exploitable by anonymous users.
Slcyber
2026-07-18
Forced updates enabled for affected sites
Due to the vulnerability's severity, WordPress.org enabled forced updates for sites running affected versions.
wordpress.org
2026-07-18
Public tool for vulnerability checking launched
Searchlight Cyber released wp2shell.com to help users check if their WordPress instances are vulnerable.
Slcyber

Community

Browse all →