Critical WordPress Vulnerabilities Discovered – Fix Now!
Two critical WordPress security updates have been released, addressing severe vulnerabilities that require immediate attention.
Critical Vulnerabilities Addressed
The 7.0.2 security patch resolves one critical and one high-severity flaw impacting the platform. The issues were disclosed to the WordPress security team by multiple researchers. The first vulnerability, tracked as CVE-2026-60137, involves a SQL injection flaw that can be exploited to compromise database integrity. This issue was identified by a collaborative effort from TF1T, dtro, and haongo. A second vulnerability, also labeled CVE-2026-60137, arises from a misconfiguration in the REST API batch route, which could enable remote code execution through SQL injection. This specific flaw was reported by Adam Kues of Assetnote / Searchlight Cyber.
Affected Versions and Updates
WordPress versions 6.9 are affected by both vulnerabilities. The 6.9.5 update includes fixes for both issues. Version 6.8 is only impacted by the first vulnerability, with 6.8.6 providing a resolution. The beta release of WordPress 7.1 is also affected by both flaws, and the 7.1 beta2 version contains the necessary patches. Earlier versions, prior to 6.8, are not at risk.
Mitigation Strategies
Importance of Timely Patch Management
The vulnerabilities highlight the importance of timely patch management for WordPress installations. Organizations using affected versions are advised to apply the latest security releases promptly to prevent potential exploitation. Technical teams should also review their infrastructure for any dependencies on the REST API batch route and ensure that access controls are properly configured. The disclosures underscore ongoing challenges in securing content management systems, where API misconfigurations and injection flaws remain prevalent attack vectors. Cybersecurity professionals are urged to monitor official WordPress security advisories and implement proactive measures to mitigate risks associated with such vulnerabilities.
