blog.cloudflare.com 7/17/2026, 8:27:13 PM · external

Cloudflare Deploys WAF Rules to Block WordPress RCE and SQLi

Cloudflare Deploys WAF Rules to Block WordPress RCE and SQLi
CyberSIXT Evidence Panel
Primary Source wordpress.org

CLOUDFLARE has implemented new Web Application Firewall (WAF) protections to address critical vulnerabilities in WordPress — specifically an Unauthenticated Remote Code Execution (RCE) vulnerability and an SQL Injection vulnerability. These vulnerabilities affect versions 6.8 and newer, with the RCE vulnerability only present in versions from 6.9 onwards. Cloudflare deployed the new rules on July 17, 2026, which will protect all customers using WAF.

While these protections reduce risk, patching WordPress is still necessary, with version 7.0.2 and backports to earlier versions addressing the issues. Security enhancements include specific rules for SQLi and RCE detection, which customers are encouraged to enable. Cloudflare will monitor and update these rules to adapt to new attacks.

View Primary Source Via blog.cloudflare.com

Article by CyberSIXT