ON July 17, 2026, a critical remote code execution vulnerability (CVE-2026-63030) was disclosed in WordPress Core, allowing unauthenticated attackers to exploit a weakness via the REST API. The vulnerability affects WordPress versions 6.9.0 to 6.9.4 and 7.0.0 to 7.0.1, with fixes available in versions 6.9.5 and 7.0.2. Organizations are urged to upgrade immediately to mitigate risks. The vulnerability's potential for widespread impact is heightened by WordPress's popularity as a content management system. Currently, no public exploits have been confirmed in active use, but the risk remains significant due to the nature of the flaw.
WordPress REST API flaw lets attackers run code remotely
CyberSIXT Evidence Panel
Article by CyberSIXT
Timeline Coverage
Swipe to explore timeline
-
WordPress SQLi bug allows remote code execution, update now
cybersixt.com
-
WordPress REST API flaw lets attackers run code remotely
www.rapid7.com
-
Cloudflare Deploys WAF Rules to Block WordPress RCE and SQLi
cybersixt.com