On July 17, 2026, the WordPress Security Team released updates to WordPress core addressing two security vulnerabilities. The first is an unauthenticated SQL injection vulnerability identified as CVE-2026-60137, while the second can be chained with the SQL injection to increase its impact to unauthenticated remote code execution and is identified as CVE-2026-63030.
To protect WordPress users while sites are being updated, we will not be providing additional technical details at this time.
The WordPress Security Team has initiated automatic updates for sites running vulnerable versions. However, we strongly recommend confirming as soon as possible that your site has successfully updated to one of the patched versions 6.8.6, 6.9.5, or 7.0.2, if running a 6.8.X, 6.9.X, or 7.0.X version of WordPress core.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against attacks targeting the remote code execution vulnerability on July 17, 2026. Wordfence Free users will receive the same protection 30 days later, on August 16, 2026.
Vulnerability Summary from Wordfence Intelligence
The post PSA: WordPress Core Patched Unauthenticated Remote Code Execution Vulnerability Chain appeared first on Wordfence.