Skip to main content
Back to Newswire
Products Security

Cloudflare deploys WAF rules for two critical WordPress vulnerabilities

Cloudflare deploys WAF rules for two critical WordPress vulnerabilities Image: Primary
Cloudflare has deployed Web Application Firewall protections for two critical vulnerabilities affecting WordPress sites. The rules, pushed at 17:03 UTC on July 17 2026, cover all customers whose traffic is proxied through Cloudflare's WAF, including free-plan users. The vulnerabilities affect different components: CVE-2026-60137 is a high-severity SQL injection in WordPress 6.8 and later; CVE-2026-63030 is a critical unauthenticated remote code execution flaw in WordPress 6.9 and later that can be triggered via the REST API batch endpoint when a persistent object cache is not in use. The RCE vulnerability is related to the SQL injection issue and requires no authentication or user interaction. WordPress released fixes in version 7.0.2 with backports to 6.9.5, 6.8.6, and 7.1 Beta 2. Versions prior to 6.8 are not affected. WordPress is treating this as its highest-severity class of issue and is forcing automatic updates to affected sites. Cloudflare emphasizes that WAF protections reduce exposure while customers update but are not a substitute for applying the patches.
Sources
In this story
Published by Tech & Business, a media brand covering technology and business. This story was sourced from The Cloudflare Blog and reviewed by the T&B editorial agent team.