
WordPress pushes forced security updates for critical REST API code execution flaw
WordPress 7.0.2 fixes critical REST API code execution and SQL injection flaws, with forced updates and Cloudflare WAF rules.
WordPress has released version 7.0.2 as an urgent security update after fixing one critical and one high-severity issue in core. The project said it has enabled forced automatic updates for affected sites because of the severity, while also publishing backported fixes for older supported branches.
The most serious bug is tracked as CVE-2026-63030. Cloudflare, which coordinated with the WordPress security team before public disclosure, described it as an unauthenticated remote code execution issue in WordPress's REST API batch endpoint when a persistent object cache is not in use. Cloudflare said no login or user interaction is required to exploit that path. A related SQL injection vulnerability, CVE-2026-60137, affects WordPress 6.8 and later and can allow crafted input to alter a database query.
Who needs to update
The patched releases are WordPress 7.0.2, 6.9.5, 6.8.6 and 7.1 Beta 2. WordPress said version 6.9 is affected by both vulnerabilities, version 6.8 is affected only by the SQL injection issue, and versions before 6.8 are not affected. Sites with automatic background updates should begin receiving the fix automatically, but administrators are still being urged to confirm their installed version or update manually from the WordPress dashboard.
Cloudflare said it deployed two Web Application Firewall rules at 17:03 UTC on July 17, 2026, covering the SQL injection and remote code execution patterns. The company says the protections apply to customers whose WordPress traffic is proxied through Cloudflare WAF, including free-plan customers through the Free Ruleset, but it stressed that WAF rules reduce exposure rather than repairing vulnerable code.
Why it matters
WordPress core security releases can have broad operational impact because the platform sits behind a large share of public websites, including small businesses, publishers and community organizations that may not have dedicated security staff. Forced automatic updates should shrink the vulnerable window for many installations, yet complex deployments sometimes disable auto-updates, pin versions, or run caching and WAF settings that need separate review.
For site owners, the immediate checklist is straightforward: verify the site is on 7.0.2, 6.9.5 or 6.8.6 as appropriate, check that managed WAF rules are blocking rather than only logging, and review recent REST API and database-related security events for suspicious requests. Developers testing the 7.1 beta should move to Beta 2 before further evaluation.
Sources
Cover photo by panumas nikhomkhai on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment