Critical RCE Vulnerability in WordPress Core (CVE-2026-63030)


This text was generated using artificial intelligence (AI).On July 17, 2026, a critical security vulnerability was disclosed in the core of the WordPress content management system. The vulnerability, classified as CVE-2026-63030, allows attackers to execute arbitrary code (Remote Code Execution, RCE) on affected servers. An official CVSS score had not yet been assigned by NVD/MITRE at the time of publication; Cloudflare classifies the vulnerability in its analysis as Critical . Since the attack does not require authentication and, according to Cloudflare, is successful against installations without a persistent object cache, it poses a significant risk to WordPress website operators.

The security vulnerability, also known as „wp2shell,“ is the result of a chain of two vulnerabilities: a „batch route confusion“ in the REST API and an SQL injection vulnerability (CVE-2026-60137). Due to the high severity of this vulnerability, the WordPress security team has enabled a forced automatic update for affected installations—a measure that is only taken in the case of serious threats.