WordPress Core Patched for Two High-Severity SQL Injection Vulnerabilities
WordPress 7.0.2 addresses two critical vulnerabilities: a facilitated SQL injection and a REST API confusion leading to RCE, affecting versions 6.9 and earlier.

WordPress has released version 7.0.2, a security update designed to address two high-severity vulnerabilities that could impact a significant portion of its user base. The update, pushed out on July 18, 2026, is crucial for users running WordPress 6.9 and earlier versions.
The first vulnerability, identified as CVE-2026-60137, involves a facilitated SQL injection. This type of flaw allows attackers to manipulate database queries, potentially leading to unauthorized data access or modification. The issue was reported to the WordPress security team by TF1T, dtro, and haongo.
A second, also high-severity, vulnerability, bearing the same identifier CVE-2026-60137, stems from a confusion within the REST API's batch routing. This vulnerability can be chained with other issues to achieve SQL injection and ultimately Remote Code Execution (RCE). This critical flaw was reported by Adam Kues from Assetnote / Searchlight Cyber.
These vulnerabilities affect WordPress version 6.9, which has been patched with version 6.9.5. Users of WordPress 6.8 are also affected by the first SQL injection vulnerability, and a fix is available in version 6.8.6. The beta release of WordPress 7.1 was also impacted, with fixes included in beta2. Versions of WordPress prior to 6.8 are not affected by these specific issues.
Given the severity of these vulnerabilities, particularly the potential for RCE, users are strongly advised to update their WordPress installations immediately. The WordPress project often enables forced updates for critical security releases, ensuring that a large percentage of sites are protected quickly.
For administrators unable to update immediately, Searchlight Cyber researchers have proposed temporary mitigations. These include blocking anonymous access to the batch API. This can be achieved by installing a plugin that restricts access to the REST API or by configuring a Web Application Firewall (WAF) to block requests to /wp-json/batch/v1 and ?rest_route=/batch/v1. However, these measures are considered emergency workarounds and may disrupt legitimate site functionality.
The disclosure of these vulnerabilities underscores the ongoing security challenges faced by the widely used WordPress content management system. With millions of websites relying on WordPress, even seemingly minor flaws can have a broad impact. The WordPress security team's proactive approach to identifying and patching such issues is vital in maintaining the platform's integrity.
This incident serves as a reminder for all website administrators to stay vigilant, apply security updates promptly, and consider implementing robust security practices, including regular backups and the use of security plugins, to protect their sites from potential exploitation.