securityaffairs.com 7/19/2026, 5:51:52 AM · external

Public PoC exploits hit critical WordPress CVEs, urging patches

Public PoC exploits hit critical WordPress CVEs, urging patches
Developing story vulnerability 4 articles tracked
WordPress critical flaw chain allows remote code execution and SQL injection
CyberSIXT Evidence Panel
Primary Source github.com
CISA KEV Not in KEV
Patch Patch Status Unknown

THE article discusses recently released public exploits targeting critical vulnerabilities in WordPress, specifically CVE-2026-63030 and CVE-2026-60137. These flaws allow remote code execution without authentication on default WordPress installations (versions 6.9.x and 7.0.x). Cybersecurity researchers from Searchlight Cyber discovered these issues, emphasizing the urgency of updating to WordPress 7.0.2 or 6.9.5 to mitigate risks. Temporary measures include blocking access to specific REST API endpoints. Over 500 million websites utilize WordPress, making immediate patching essential to prevent exploitation.

View Primary Source Via securityaffairs.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline