Critical RCE Vulnerability in WordPress Core (CVE-2026-63030)
This text was generated using artificial intelligence (AI).On July 17, 2026, a critical security vulnerability was disclosed in the core of the WordPress content management system. The vulnerability, classified as CVE-2026-63030, allows attackers to execute arbitrary code (Remote Code Execution, RCE) on affected servers. An official CVSS score had not yet been assigned by NVD/MITRE at the time of publication; Cloudflare classifies the vulnerability in its analysis as Critical . Since the attack does not require authentication and, according to Cloudflare, is successful against installations without a persistent object cache, it poses a significant risk to WordPress website operators.
The security vulnerability, also known as „wp2shell,“ is the result of a chain of two vulnerabilities: a „batch route confusion“ in the REST API and an SQL injection vulnerability (CVE-2026-60137). Due to the high severity of this vulnerability, the WordPress security team has enabled a forced automatic update for affected installations—a measure that is only taken in the case of serious threats.
Technical Background and Attack Sequence
The point of attack is the publicly accessible endpoint /wp-json/batch/v1 the WordPress REST API. A logic error in the processing routine for bundled requests in the file class-wp-rest-server.php allows bypassing internal route validation. This enables attackers to send requests to internal API functions that normally require authentication.
In a second step, this unauthorized access is exploited to target an SQL injection vulnerability in the file class-wp-query.php to exploit. This allows manipulated SQL commands to be injected into and executed by the database, ultimately leading to the complete compromise of the system through remote code execution.
The vulnerability was reported by Adam Kues (Searchlight Cyber) as part of a responsible disclosure process. The associated SQL injection was discovered by a team consisting of TF1T, dtro, and haongo.
Affected Versions and Recommended Actions
All WordPress website operators need to take immediate action. The primary step is to update to a secure version.
Versions affected by the RCE vulnerability (CVE-2026-63030):
WordPress 6.9.0 through 6.9.4
WordPress 7.0.0 through 7.0.1
Versions affected by the SQL injection vulnerability (CVE-2026-60137):
WordPress 6.8.0 through 6.8.5
Immediate measures:
Update to version 7.0.2: Fixes both vulnerabilities.
Update to Version 6.9.5: Fixes both vulnerabilities for the 6.9.x branch.
Update to Version 6.8.6: Fixes the SQL injection vulnerability for the 6.8.x branch.
Short-term mitigation (if an update isn't possible right away):
Blocking the Path /wp-json/batch/v1 as well as ?rest_route=/batch/v1 via a Web Application Firewall (WAF).
Temporarily disable the WordPress REST API if it is not absolutely necessary.
Relevance for Companies in Germany, Austria, and Switzerland and Compliance
WordPress is one of the most widely used platforms worldwide—and the potential impact in the DACH region is correspondingly significant. Companies that use WordPress for public websites, customer portals, or internal microsites should immediately verify whether their installations are up to date with the latest patches. If personal data has been compromised as a result of exploitation of the vulnerability, the reporting obligation under GDPR Article 33 applies (72-hour deadline to notify the competent supervisory authority). For operators subject to the NIS 2 Directive, a successful attack may also trigger reporting obligations under Article 23 of NIS 2. The BSI generally recommends installing available security updates for exposed web applications without delay.
Visibility as the Foundation for Cybersecurity and Compliance
Vulnerabilities such as CVE-2026-63030 highlight the need for a comprehensive and up-to-date overview of all externally accessible IT systems. An External Attack Surface Management (EASM) platform like LocateRisk automatically maps an organization’s entire attack surface. This includes not only the company’s primary website but also often-overlooked shadow IT systems, such as forgotten marketing blogs, test environments, or microsites, which may also be running on a vulnerable version of WordPress.
By precisely identifying the software versions in use, security teams can secure affected systems in a targeted manner and without delay. This process is an essential component of risk management and supports compliance with regulatory requirements and standards such as NIS-2 or ISO 27001, which require active vulnerability management.
In addition, monitoring service providers as part of vendor risk management (VRM) is crucial. If an external agency operates a WordPress site for your company, any security vulnerability on their end becomes your risk. LocateRisk supports the continuous assessment of suppliers’ security posture and helps determine whether their systems also meet applicable compliance requirements. The platform is hosted in certified German data centers and helps customers comply with GDPR requirements.
The remote code execution (RCE) vulnerability affects WordPress versions 6.9.0 through 6.9.4, as well as versions 7.0.0 and 7.0.1. WordPress installations prior to version 6.9.0 are not affected by the RCE vulnerability.
Yes, your installation is not affected by the RCE vulnerability. However, it is vulnerable to the associated SQL injection vulnerability. CVE-2026-60137. An update to version 6.8.6 is strongly recommended.
Yes, the WordPress team released security updates on July 17, 2026. Depending on your current version, you should update to WordPress 7.0.2, 6.9.5 or 6.8.6 Update. WordPress has also enabled forced automatic updates for affected versions.
Request your personal Live-Demo now
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.