general · BleepingComputer
Two critical remote code execution flaws in WordPress Core, tracked as CVE-2026-63030 and CVE-2026-60137, can be chained together to achieve pre-authentication RCE against WordPress versions 6.9.x and 7.0.x. The first flaw is a REST API batch-route confusion vulnerability; the second is an SQL injection issue in the author__not_in parameter of WP_Query. Public proof-of-concept exploits have been released. WordPress has enabled forced automatic updates for affected installations, and the company urges administrators to patch to WordPress 7.0.2 or 6.9.5 immediately. The full RCE chain affects WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1; the SQL injection alone also impacts 6.8.0–6.8.5.
For organizations running WordPress—including SaaS providers, healthcare systems, and others in regulated industries—this vulnerability poses immediate risk because it requires no authentication and affects default installations. SaaS teams subject to SOC2 Type II audits should ensure patching is completed and documented as part of vulnerability management controls. Healthcare providers running WordPress-based portals or content systems must treat this as a patch-critical issue under HIPAA's security rule. Defense contractors and those handling CUI should validate that any WordPress instances in their environment are updated or mitigated immediately. Temporary mitigations (REST API blocks, WAF rules via Cloudflare or similar) can reduce exposure pending updates, though they are not substitutes for patching. An Omniware engagement can scope vulnerability management and update processes for your specific infrastructure.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/wordpress-core-wp2shell-rce-flaws-get-public-exploits-patch-now/
Source: BleepingComputer
All briefings