惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

云风的 BLOG
云风的 BLOG
Help Net Security
Help Net Security
Y
Y Combinator Blog
WordPress大学
WordPress大学
D
DataBreaches.Net
N
Netflix TechBlog - Medium
U
Unit 42
爱范儿
爱范儿
MyScale Blog
MyScale Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 司徒正美
Google DeepMind News
Google DeepMind News
D
Docker
H
Help Net Security
Stack Overflow Blog
Stack Overflow Blog
宝玉的分享
宝玉的分享
博客园_首页
Microsoft Security Blog
Microsoft Security Blog
Engineering at Meta
Engineering at Meta
Know Your Adversary
Know Your Adversary
P
Privacy & Cybersecurity Law Blog
P
Proofpoint News Feed
T
Tenable Blog
S
Schneier on Security
V
Vulnerabilities – Threatpost
V
V2EX
T
Tor Project blog
Security Latest
Security Latest
S
Securelist
G
Google Developers Blog
NISL@THU
NISL@THU
Schneier on Security
Schneier on Security
Webroot Blog
Webroot Blog
小众软件
小众软件
Google Online Security Blog
Google Online Security Blog
阮一峰的网络日志
阮一峰的网络日志
W
WeLiveSecurity
IT之家
IT之家
I
InfoQ
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
月光博客
月光博客
I
Intezer
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
博客园 - 【当耐特】
The GitHub Blog
The GitHub Blog
Cloudbric
Cloudbric
Scott Helme
Scott Helme
The Cloudflare Blog
L
LINUX DO - 热门话题

The Cloudflare Blog

A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed Introducing Precursor: detecting agentic behavior with continuous client-side signals Improving Smart Tiered Cache for public cloud regions Why we cannot wait for better post-quantum signature algorithms Introducing Meerkat- an experiment in global consensus Cloudflare proudly joins the UK government Your Worker can now have its own cache in front of it Your site, your rules: new AI traffic options for all customers Announcing the Monetization Gateway: charge for any resource behind Cloudflare via x402 Content Independence Day, one year on- building the business model for the agentic Internet Making AI search smarter Unmasking the crawls with Attribution Business Insights How we built saga rollbacks for Cloudflare Workflows Unlocking the Cloudflare app ecosystem with OAuth for all The post-quantum EO is an important milestone. Now it’s time to get to work How we found a bug in the hyper HTTP library Temporary Cloudflare Accounts for AI agents Build your own vulnerability harness Celebrating 12 years of Project Galileo Bringing more agent harnesses to Cloudflare, starting with Flue Introducing the Cloudflare One stack- agent-powered deployment Cloudflare DMARC Management is now generally available Growing the Cloudflare AI team with talent from Ensemble AI Scaling Security Insights: how we achieved a 10x increase in global scanning capacity Route public traffic to private applications with Cloudflare Defend against frontier cyber models: Cloudflare's architecture as customer zero Turning Cloudflare’s threat indicators into real-time WAF rules Your AI bill is out of control. Cloudflare can fix it now. VoidZero is joining Cloudflare Enforcing the First AS in BGP AS PATHs How we reduced core unit boot time from hours to minutes How we built Cloudflare's data platform and an AI agent on top of it Iran's Internet is partially restored, Cloudflare Radar data shows Announcing Claude Compliance API support with Cloudflare CASB Announcing Claude Managed Agents on Cloudflare Project Glasswing: what Mythos showed us Our billing pipeline was suddenly slow. The culprit was a hidden bottleneck in ClickHouse Browser Run: now running on Cloudflare Containers, it’s faster and more scalable When "idle" isn't idle: how a Linux kernel optimization became a QUIC bug Building For The Future How Cloudflare responded to the “Copy Fail” Linux vulnerability When DNSSEC goes wrong: how we responded to the .de TLD outage Code Orange: Fail Small is complete. The result is a stronger Cloudflare network Introducing Dynamic Workflows: durable execution that follows the tenant Post-quantum encryption for Cloudflare IPsec is generally available Agents can now create Cloudflare accounts, buy domains, and deploy Shutdowns, power outages, and conflict: a review of Q1 2026 Internet disruptions Making Rust Workers reliable: panic and abort recovery in wasm‑bindgen Moving past bots vs. humans Building the agentic cloud: everything we launched during Agents Week 2026 The AI engineering stack we built internally — on the platform we ship
Cloudflare WAF protects WordPress applications from two high-severity vulnerabilities
Daniele Molt · 2026-07-18 · via The Cloudflare Blog

Cloudflare has deployed new Web Application Firewall (WAF) protections for two critical vulnerabilities affecting WordPress. The protections address an Unauthenticated Remote Code Execution (RCE) vulnerability in WordPress's REST API and a related SQL Injection vulnerability.

The WordPress security team disclosed the vulnerabilities to Cloudflare before public release so that we could prepare protections for customers. Cloudflare has deployed the new rules to protect all customers, including those on free and paid plans, as long as their application traffic is proxied through the Cloudflare WAF. The rules were deployed at 17:03 UTC on July 17 2026.

WAF protections reduce exposure while customers update, but they are not a substitute for patching. WordPress has released fixes in version 7.0.2, with backports to affected earlier branches: 6.9.5, 6.8.6, and 7.1 Beta 2 (see release details). Versions earlier than 6.8 are not affected. WordPress is treating this as its highest-severity, highest-priority class of issue and is forcing automatic updates to affected sites, so most sites will be updated automatically. We still recommend confirming that you are on a patched release or the backports for your branch and follow the guidance in the official WordPress security release announcement

What you need to know

The vulnerabilities affect different parts of the request path:

  • CVE-2026-60137: SQL injection. A vulnerability in WordPress version 6.8 and later allows crafted input to alter a database query. Rating High.
  • CVE-2026-63030: Unauthenticated remote code execution. A vulnerability in WordPress version 6.9 and later allows an unauthenticated attacker to execute code through the batch endpoint of the REST API when a persistent object cache is not in use. This vulnerability is related to the SQL injection described above. No login or user interaction is required to exploit this vulnerability. Rating Critical.

The SQL injection vulnerability is present from version 6.8 onwards, while the RCE only affects versions from 6.9. So 6.8.6 addresses the SQLi only since the RCE isn't present on 6.8, while 6.9.5, 7.0.2, and 7.1 Beta 2 get fixes for both.

Cloudflare created two rules to detect requests associated with these vulnerabilities:

Rule description

CVE

Rule ID for Managed Ruleset

Rule ID for Free Ruleset

Default action

Wordpress - SQL Injection - CVE:CVE-2026-60137

CVE-2026-60137

1c060d3a371549219ee290d7ed933fcc

db003b39b7774859a8d588ce33697a1a

Block

Wordpress - Remote Code Execution - CVE:CVE-2026-63030

CVE-2026-63030

7dfb2bd4708d4b88b9911dc0550664b6

ebd3f2df15c74ddcbf6220c9b5ec246a

Block

Cloudflare customers running WordPress sites on Pro, Business, or Enterprise plans should ensure that Cloudflare Managed Rules are enabled. Customers can follow the steps in our WAF Managed Rules documentation. Customers on free plans are automatically protected through the Free Ruleset.

The new rules are deployed with the default Managed Ruleset action of Block. Customers running WordPress sites should review any ruleset-level overrides, including those that change all rules from Block to Log, and ensure the new rules use the recommended action while they update WordPress. Cloudflare customers should also monitor Security Events for requests matching either rule. 

Defense in depth while you patch

The SQL injection rule detects crafted parameter values before they reach WordPress. The unauthenticated RCE rule targets requests attempting to reach the remote code execution path. Together, they detect the attack at two different points.

These rules reduce risk while organizations update affected systems; they do not fix the underlying vulnerable code. Updating WordPress remains the most effective way to address the vulnerabilities.
If an immediate update is not possible, verify that both Cloudflare rules are active with the recommended action and review logs for suspicious requests to the affected REST API endpoint.

Looking forward

Cloudflare will monitor matching traffic and test the rules against new attack variations, updating detections when needed.

We thank the WordPress security team for coordinating with Cloudflare and other infrastructure providers to help protect users before details of the vulnerabilities became public.