CyberHawk Threat Intel — IOC Scanner, Live IOC Feed (3.6M+ indicators),
Infostealer Intelligence, Threat Map, MISP Feeds, GitHub Arsenal, Courses and more.
Free to join.
Register Free →
On July 17, 2026, the WordPress Security Team released updates to WordPress core addressing two security vulnerabilities. The first is an unauthenticated SQL injection vulnerability identified as CVE-2026-60137, while the second can be chained with the SQL injection to increase its impact to unauthenticated remote code execution and is identified as CVE-2026-63030.
To protect WordPress users while sites are being updated, we will not be providing additional technical details at this time.
The WordPress Security Team has initiated automatic updates for sites running vulnerable versions. However, we strongly recommend confirming as soon as possible that your site has successfully updated to one of the patched versions 6.8.6, 6.9.5, or 7.0.2, if running a 6.8.X, 6.9.X, or 7.0.X version of WordPress core.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against attacks targeting the remote code execution vulnerability on July 17, 2026. Wordfence Free users will receive the same protection 30 days later, on August 16, 2026.
Vulnerability Summary from Wordfence Intelligence
CVSS Rating
9.8 (Critical)
Affected Version(s)
Various
Patched Versions
6.9.5, 7.0.2
WordPress Core is vulnerable to Remote Code Execution in all versions 6.9 to 7.0.1 via the REST API batch request endpoint (/wp-json/batch/v1). This is due to a route/validation desynchronization that allows a validated sub-request to be dispatched to an unintended callback, bypassing the allow_batch restriction, with attacker-controlled parameters and the target route's input sanitization bypassed, which can be chained with SQL Injection. This may make it possible for attackers to execute code on the server.
CVSS Rating
7.5 (High)
Affected Version(s)
Various
Patched Versions
6.8.6, 6.9.5, 7.0.2
WordPress Core is vulnerable to generic SQL Injection via the 'author__not_in' parameter in versions 6.8 - 7.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The post PSA: WordPress Core Patched Unauthenticated Remote Code Execution Vulnerability Chain appeared first on Wordfence.
Accelerate Your Security Operations
CyberHawk Threat Intel is a complete Cyber Intelligence Platform — one place for every tool
a security professional needs. Built by
Rudra Verma,
Senior Security Architect and Researcher, CyberHawk Consultancy.
IOC Scanner — scan any domain, IP, hash, URL
Live IOC Feed — 3.6M+ indicators, filterable
Infostealer Intelligence — live compromised creds
Live Threat Map — real-time global attack vectors
MISP Threat Feeds — CIRCL, Feodo, Botvrij, more
GitHub Arsenal — curated security tools and scripts
Security Blog — CVE advisories and threat research
Video Courses — cybersecurity training and education
SOPs and Playbooks — SecOps procedures
Analyst Library — references and toolkits
Scan Reports — historical threat intelligence
Cyber News — this feed, aggregated in-platform