Two new high severity WordPress vulnerabilities, patch immediately!

The 7.0.2 WordPress security release addresses one critical and one high severity security issue.

wp2shell CVE-2026-60137 CVE-2026-60137

The vulnerabilities reported to the WordPress security team include:

  • CVE-2026-60137 – A facilitated SQL injection issue reported as a team by TF1T, dtro, and haongo
  • CVE-2026-63030 – A REST API batch-route confusion and SQL injection issue leading to Remote Code Execution reported by Adam Kues at Assetnote / Searchlight Cyber

Which versions of WordPress are vulnerable?

  • WordPress 6.9 is affected by both vulnerabilities. Version 6.9.5 has been released containing fixes for both.
  • WordPress 6.8 is only affected by the first vulnerability. Version 6.8.6 has been released containing a fix.
  • The beta release of WordPress 7.1 is affected by both vulnerabilities. Version 7.1 beta2 has been released containing fixes for both.

Versions of WordPress prior to 6.8 are not affected.

Emergency temporary mitigation

If this isn’t possible, Security Researchers at Searchlight Cyber note you can temporarily protect your instance by blocking anonymous access to the batch API, either by:

  • Installing a plugin that blocks anonymous access to the rest API entirely; or
  • Blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level.

Note that both these solutions may have impact on legitimate use of the site and should only be considered emergency temporary measures until you can update.

Don't miss