>samit_hota
Back to advisories
SH-2026-148CriticalResolved

Critical RCE and SQLi Vulnerabilities Patched in WordPress Core

Samit Hota·
CVE ID
CVE-2026-63030, CVE-2026-60137
CVSS Score
N/A
Affected Products
WordPress Core versions 6.9.0-6.9.4, 7.0.0-7.0.1
#news#wordpress

Overview

The WordPress Security Team has recently addressed two critical security vulnerabilities in WordPress Core, impacting widely used versions of the content management system. The flaws include an unauthenticated SQL injection vulnerability (CVE-2026-60137) and a more severe unauthenticated remote code execution (RCE) vulnerability (CVE-2026-63030). These vulnerabilities, disclosed on July 17, 2026, collectively pose a significant risk, as the SQL injection can be chained with the RCE flaw to achieve full system compromise without requiring any authentication. The WordPress Security Team has initiated automatic updates for affected sites, emphasizing the urgency of applying these patches.

Technical Details

The primary concern for organizations running WordPress sites is the unauthenticated remote code execution vulnerability, CVE-2026-63030. This flaw affects WordPress versions 6.9.0 through 6.9.4 and versions 7.0.0 through 7.0.1. It specifically resides within the WordPress REST API batch endpoint (/wp-json/batch/v1). The vulnerability is described as a route/validation desynchronization issue, allowing a seemingly validated sub-request to be dispatched to an unintended callback. This bypasses the allow_batch restriction and allows for attacker-controlled parameters to be processed without proper input sanitization.

This RCE can be chained with an unauthenticated SQL injection vulnerability, CVE-2026-60137, which is also fixed in the latest updates. The SQL injection vulnerability, identified via the author__not_in parameter, typically carries a CVSS score of 7.5 (High). However, when leveraged in conjunction with the RCE, its impact escalates dramatically. Researchers at Searchlight Cyber, who identified CVE-2026-63030, noted that the vulnerable code path is exploitable when a persistent object cache is not in use. They further stated that the RCE can be exploited remotely against a default WordPress installation without requiring additional plugins. This combination means that an attacker, without any prior authentication or user interaction, could execute arbitrary code on the server, leading to a complete compromise of the website and its underlying data.

Real-World Impact

Given WordPress’s immense popularity as a content management system, with millions of websites globally relying on its core functionality, the real-world impact of these vulnerabilities is substantial. An unauthenticated RCE represents the pinnacle of web application security risks, enabling attackers to take full control of a compromised server. For public-facing websites, this could lead to data theft, defacement, malware distribution, or the establishment of persistent backdoors. The absence of a requirement for authentication or user interaction makes these flaws particularly dangerous, as they can be exploited silently and rapidly across vulnerable installations. Organizations running e-commerce platforms, critical infrastructure portals, or any website handling sensitive user data on WordPress are at extreme risk if unpatched.

Threat Landscape

The widespread deployment of WordPress makes it a perennial target for attackers. Vulnerabilities in its core, especially those allowing unauthenticated RCE, are quickly weaponized once technical details or proof-of-concept (PoC) exploits become public. While public exploitation reports were not confirmed at the time of initial disclosure, the ease of exploitation against a default installation means that attackers are likely already developing or have developed exploits. The WordPress Security Team’s proactive stance of initiating automatic updates underscores the immediate threat these vulnerabilities pose. The open-source nature of WordPress Core also means that security researchers and malicious actors alike can analyze the codebase, potentially accelerating the development of public exploits.

Remediation

Immediate action is required for all organizations utilizing WordPress.

  1. Update Immediately: Upgrade WordPress Core to the patched versions 6.9.5 or 7.0.2. A fix is also included in WordPress 7.1 Beta 2. The WordPress Security Team has initiated automatic updates, but it is crucial to confirm that your site has successfully updated.
  2. Verify Updates: After applying patches, administrators should verify that the updates have been successfully installed and that their WordPress installations are running the latest secure versions.
  3. Monitor for Suspicious Activity: Even after patching, monitor WordPress installations and server logs for any signs of compromise that might have occurred prior to the patch being applied. Look for unusual file modifications, unexpected user accounts, or outbound connections.
  4. Implement Web Application Firewall (WAF): A well-configured WAF can provide an additional layer of defense by detecting and blocking exploit attempts, especially in the interim period before patches can be fully deployed.

Wordfence Premium, Care, and Response customers received firewall rules protecting against the RCE vulnerability on July 17, 2026. This highlights the importance of layered security.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call