Two site-takeover flaws in WordPress core: CVE-2026-60137 and CVE-2026-63030 β update now
WordPress, used by about 40% of all websites, has two database-tampering flaws (SQL injection) in its core. Tracked as CVE-2026-60137 and CVE-2026-63030, when chained they can let attackers take over a site with no login. Fixes 6.8.6, 6.9.5, and 7.0.2 shipped and auto-updates were force-pushed. Here's how to confirm your site is already fixed.
Table of contents
WordPress, used by about 40% of all websites, has two database-tampering flaws (SQL injection) in its core. Tracked as CVE-2026-60137 and CVE-2026-63030, when chained they can let attackers take over a site with no login. Fixes 6.8.6, 6.9.5, and 7.0.2 shipped and auto-updates were force-pushed. Here's how to confirm your site is already fixed.
WordPress, the software behind roughly 40% of all websites, has two serious flaws in its core that can lead to site takeover. They are CVE-2026-60137 and CVE-2026-63030, and when combined, an unauthenticated remote attacker can tamper with the database and ultimately run arbitrary code on the server. These are flaws in the engine that runs WordPress itself β not in a specific plugin (add-on).
On July 17, 2026, the project released the fixes WordPress 7.0.2, 6.9.5, and 6.8.6 together. The WordPress.org team also took the step of force-pushing automatic updates to sites on the affected versions. Most sites with auto-updates enabled should already be on a fixed version. But sites that disabled auto-updates, or are managed independently, need a manual update. Below we walk through what happened and how much it concerns you.
Key points (3 lines)
- WordPress core has two flaws that let attackers tamper with the database (SQL injection). Combined, they can lead to site takeover (code execution on the server) with no login required.
- The affected software is WordPress core 6.8β7.0. Fixes 6.8.6, 6.9.5, and 7.0.2 shipped on July 17, and the project also force-pushed automatic updates.
- If auto-updates are on, many sites are already fixed. Confirm in the admin dashboard that your version is 6.8.6 / 6.9.5 / 7.0.2 or later.
Why a "core flaw" is rare β and heavier
Most WordPress vulnerabilities turn up in "plugins" (add-ons) or "themes" (design packages) that you add later. If you don't use them, they don't concern you. This time, though, the flaws are in the foundation that runs WordPress β the part that nearly every WordPress site shares. Core flaws are uncommon, and that makes them both more newsworthy and wider in reach.
Both flaws are a type called "SQL injection." SQL injection is an attack where a crafted string is slipped into the commands (SQL) a site uses for its database, forcing it to perform operations it shouldn't. The database β which holds member data, posts, and fragments of passwords β can be read or written by outsiders.
The first flaw, CVE-2026-60137 (severity 9.1), lies in the internal post-query feature (WP_Query): the part that specifies "exclude these authors" (author__not_in) does not properly check its input, letting an attacker inject commands there. The second, CVE-2026-63030, is a route-confusion flaw in the endpoint that handles batched operations (the REST API batch endpoint). On its own it is unremarkable, but combined with the first, it is described as allowing an attacker to pull off SQL injection with no login and reach code execution (takeover) on the server.
Who targets this, and why
The people who exploit this are attackers who mechanically sweep the internet for WordPress sites left on old versions. Because WordPress is used everywhere, attackers can round up "sites that haven't updated" and try the same technique against them one after another. This is not just about high-profile sites being singled out.
By chaining the two holes, attackers aim to tamper with the site's database without even logging in, and ultimately run whatever program they want on the server. A successful takeover leads to site defacement, planting redirects to fake sites, stealing member or order data, and using the site as a springboard for further attacks.
The damage does not stop at site owners. Ordinary visitors to a hijacked site can unknowingly be served malicious code or have the personal data they enter stolen. For company or e-commerce sites, that translates directly into customer impact and loss of trust. That is why you should confirm your version and update promptly. WordPress plugins have also seen a wave of takeover flaws, so it is worth also checking our roundup of popular-plugin vulnerabilities.
The two flaws in detail
| CVE | What it is | Severity | Affected |
|---|---|---|---|
| CVE-2026-60137 | SQL injection via weak input checking in the post-query feature | 9.1 (Critical) | 6.8β7.0 (fixed 6.8.6/6.9.5/7.0.2) |
| CVE-2026-63030 | Batch-route confusion, chained with the above to reach RCE | 7.5 (High) | 6.9β7.0 (fixed 6.9.5/7.0.2) |
CVE-2026-60137 (CVSS 9.1): injecting commands through the query's "exclude" option
WordPress's internal feature for filtering posts (WP_Query) has an option to say "exclude these authors" (author__not_in). The value passed to this option was not checked thoroughly, so if a plugin or theme passes external input straight into it, an attacker can make the database run crafted commands. The project calls it a "facilitated SQL injection" (one that succeeds when the conditions line up); it was reported by TF1T, dtro, and haongo. On its own it depends on a plugin or theme carelessly passing input, but it is still rated a high 9.1.
CVE-2026-63030 (CVSS 7.5): batch-route confusion turns it into an unauthenticated entry point
WordPress has an endpoint that accepts multiple operations at once (the REST API batch endpoint). It had a flaw that lets an attacker cause it to confuse which operation was called. On its own this isn't dramatic, but combined with CVE-2026-60137 it is described as letting an attacker bypass a path that should require login, pull off SQL injection with no authentication, and from there reach code execution (RCE) on the server. It was reported by Adam Kues of the security firm Assetnote (Searchlight Cyber). It is a classic case of two holes that look minor apart but spike in severity when chained.
Is my site affected? (Quick reference)
Whether you're affected comes down to the WordPress core version you're running. Check the table below. You can find your version under Dashboard β Updates in the admin, or in the lower-right corner of the screen.
| Your version | Impact | Update to |
|---|---|---|
| 7.0.0β7.0.1 | Both flaws apply | 7.0.2 |
| 6.9.0β6.9.4 | Both flaws apply | 6.9.5 |
| 6.8.0β6.8.5 | 60137 applies | 6.8.6 |
| Before 6.8 | Not in scope here (mind older flaws) | Move to a supported release |
| 6.8.6/6.9.5/ 7.0.2 or later | Already fixed | No action needed |
By default, WordPress applies small (minor) updates automatically. This time the project force-pushed the update to affected versions, so unless you disabled auto-updates, you're likely already on a fixed version. Even so, some hosting setups or custom workflows turn auto-updates off, so rather than assume, it's safest to check the actual version.
What to do right now
First, check your WordPress core version in the admin. If it's 6.8.6, 6.9.5, or 7.0.2 or later, these two flaws are already handled. If it's older, update to the latest from the "Updates" screen. On most hosts you can update with a single button in the dashboard.
If you've disabled auto-updates, this is a good moment to turn them back on. WordPress core flaws are few, but when one appears, sites worldwide are targeted all at once. Enabling automatic minor-version updates for core is the surest way to avoid missing a fix. It's also worth reviewing your plugins and themes so they don't sit outdated β see our roundup of July's plugin flaws.
As of now, there are no reports of these two being used in real attacks, and they are not listed on the U.S. CISA catalog of actively exploited vulnerabilities (KEV). But once a fix ships, the technique is easier to infer from the differences, and WordPress is a prime target. You can check whether attacks have begun in our tracker of actively exploited vulnerabilities (Japanese).
FAQ
Q. If auto-updates are on, am I already safe?
Very likely. The project force-pushed the update to affected versions, so most sites with auto-updates on are already on a fixed version. Still, some hosting settings turn auto-updates off, so confirm the actual version (6.8.6 / 6.9.5 / 7.0.2 or later) in the admin.
Q. How dangerous is it?
Of the two, CVE-2026-60137 is rated 9.1 and CVE-2026-63030 is 7.5. Each needs certain conditions on its own, but combined they are described as allowing database tampering with no login and, ultimately, code execution on the server (site takeover). Because these are core flaws, the number of potentially affected sites is very large.
Q. Are plugins involved?
The flaws are in WordPress core, but CVE-2026-60137 becomes easier to exploit when a plugin or theme passes external input into a specific option. Either way, updating core to a fixed version resolves it. Plugins have their own wave of flaws too, so keep plugins and themes up to date as well.
Q. Is it being exploited already?
There are currently no reports of real-world exploitation, and it is not on the U.S. CISA KEV catalog of actively exploited vulnerabilities. But the technique becomes easier to infer after a fix ships, so sites that haven't updated should act quickly.
Summary
WordPress, used by about 40% of all websites, has two SQL-injection flaws in its core: CVE-2026-60137 (9.1) and CVE-2026-63030 (7.5). Combined, they can let an attacker take over a site with no login. Because these are core flaws rather than plugin ones, the pool of potentially affected sites is very large.
The saving grace is that fixes 6.8.6, 6.9.5, and 7.0.2 shipped on July 17, and the project even force-pushed automatic updates. If auto-updates are on, many sites are already fixed β but don't assume; confirm your version in the admin. There are no reports of attacks yet, but core flaws draw simultaneous, worldwide targeting, so it's safest to update sooner rather than later.
Sources
- βΈ WordPress News - WordPress 7.0.2 Release (the project's security release announcement)
- βΈ NVD - CVE-2026-60137 (author__not_in / WP_Query SQL injection)
- βΈ NVD - CVE-2026-63030 (REST API batch-route confusion + SQLi β RCE)
- βΈ Assetnote Security Research (reporter of CVE-2026-63030)
- βΈ Related: WordPress popular-plugin vulnerability roundup (this site)

Makoto Horikawa
Backend Engineer / AWS / Django