VYPR
patchPublished Jul 17, 2026· 1 source

WordPress Core Patched for Critical SQL Injection and RCE Vulnerability Chain

WordPress core has been updated to fix a critical SQL injection flaw and a chained vulnerability leading to unauthenticated remote code execution.

The WordPress Security Team has released urgent updates for WordPress core, addressing a critical chain of vulnerabilities that could allow unauthenticated attackers to execute arbitrary code on affected websites. The patches, deployed on July 17, 2026, target two distinct but chainable flaws: CVE-2026-60137, an unauthenticated SQL injection vulnerability, and CVE-2026-63030, which enables remote code execution when combined with the SQL injection.

CVE-2026-60137, rated with a CVSS score of 7.5 (High), stems from insufficient escaping and preparation of the 'author__not_in' parameter within the WordPress REST API. This allows unauthenticated attackers to append malicious SQL queries, potentially leading to the extraction of sensitive database information. Researchers Tin Pham, Trong Pham, and haongo are credited with discovering this SQL injection vulnerability.

The more severe vulnerability, CVE-2026-63030, carries a CVSS score of 9.8 (Critical). It exploits a route and validation desynchronization within the REST API's batch request endpoint (/wp-json/batch/v1). This flaw allows a validated sub-request to be dispatched to an unintended callback, bypassing the 'allow_batch' restriction. Crucially, this bypass allows attacker-controlled parameters and bypasses the target route's input sanitization, enabling the chaining with the aforementioned SQL injection to achieve remote code execution.

To mitigate the risk to the vast number of WordPress sites globally, the WordPress Security Team has initiated automatic updates for all sites running vulnerable versions of WordPress core. However, users are strongly advised to manually verify that their installations have been successfully updated to one of the patched versions: 6.8.6 for the 6.8.X branch, 6.9.5 for the 6.9.X branch, and 7.0.2 for the 7.0.X branch.

Security firm Wordfence has provided proactive protection for its customers. Wordfence Premium, Care, and Response customers received a firewall rule to block attacks targeting the RCE vulnerability on the same day the patches were released. Free users of Wordfence will receive equivalent protection approximately 30 days later, on August 16, 2026, highlighting the ongoing need for vigilance even after patches are available.

This vulnerability chain underscores the persistent threat landscape for the world's most popular content management system. The ability to chain separate vulnerabilities to escalate privileges or achieve more severe impacts, such as remote code execution, is a common tactic employed by threat actors. The widespread adoption of WordPress means that such critical flaws can have a significant impact on a global scale.

Administrators and website owners are urged to prioritize updating their WordPress core installations immediately. Failure to do so leaves websites exposed to potential compromise, data breaches, and malicious code injection, which can further lead to defacement, spam distribution, or participation in botnets. The swift patching and automatic update rollout by the WordPress Security Team demonstrate the severity of these vulnerabilities.

Synthesized by Vypr AI