www.rapid7.com 7/17/2026, 11:51:26 PM · external

WordPress REST API flaw lets attackers run code remotely

WordPress REST API flaw lets attackers run code remotely
Developing story vulnerability 3 articles tracked
WordPress SQLi bug allows remote code execution, update now
CyberSIXT Evidence Panel
Primary Source github.com
CISA KEV Not in KEV
Patch Patch Status Unknown

ON July 17, 2026, a critical remote code execution vulnerability (CVE-2026-63030) was disclosed in WordPress Core, allowing unauthenticated attackers to exploit a weakness via the REST API. The vulnerability affects WordPress versions 6.9.0 to 6.9.4 and 7.0.0 to 7.0.1, with fixes available in versions 6.9.5 and 7.0.2. Organizations are urged to upgrade immediately to mitigate risks. The vulnerability's potential for widespread impact is heightened by WordPress's popularity as a content management system. Currently, no public exploits have been confirmed in active use, but the risk remains significant due to the nature of the flaw.

View Primary Source Via www.rapid7.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline