WordPress Security Alert: Cloudflare Deploys WAF Rules for Critical RCE and SQLi

Cloudflare deploys emergency WAF measures against two critical WordPress flaws. Learn the details and how to safeguard your site.
Glowing shield with code brackets and padlock guarding WordPress symbol against RCE and SQLi.
Code bracket shield with padlock for WordPress security. By Andres SEO Expert.

Key Takeaways

  • Cloudflare deployed emergency WAF rules targeting CVE-2026-60137 (SQL injection) and CVE-2026-63030 (unauthenticated RCE) affecting WordPress 6.8+.
  • WordPress released patches in versions 7.0.2, 6.9.5, 6.8.6, and 7.1 Beta 2.
  • The WAF rules block exploit attempts but patching is essential; automatic updates are rolling out for eligible sites.

Cloudflare Rushes WAF Rules to Block Critical WordPress RCE and SQLi Flaws

In an emergency response earlier today, Cloudflare deployed dedicated Web Application Firewall (WAF) rules to protect WordPress sites from two severe vulnerabilities: CVE-2026-60137 (SQL injection) and CVE-2026-63030 (unauthenticated remote code execution). The flaws affect WordPress versions 6.8 and later, with the RCE impacting 6.9+. WordPress has released patches in versions 7.0.2, 6.9.5, 6.8.6, and 7.1 Beta 2, and is forcing automatic updates for affected sites.

Inside the Vulnerabilities and Cloudflare’s Response

The SQL injection flaw, present from version 6.8, allows crafted input to alter database queries. The more critical RCE, found in version 6.9 onwards, enables unauthenticated attackers to execute arbitrary code via the REST API batch endpoint when no persistent object cache is used. Cloudflare’s engineering team confirmed that the two issues are related.

Cloudflare deployed two rules at 17:03 UTC on July 17, 2026. The first rule targets SQL injection attempts (CVE-2026-60137), while the second blocks requests aiming to exploit the RCE vector (CVE-2026-63030). Both rules are set to ‘Block’ by default and are available to all Cloudflare customers, including free plan users, as long as traffic is proxied through the WAF.

Cloudflare’s announcement confirms the rules are part of its Managed Ruleset and Free Ruleset. Customers on Pro, Business, or Enterprise plans are advised to ensure Managed Rules are enabled. Free plan users receive automatic protection. Cloudflare stresses that these WAF rules are a temporary mitigation and not a substitute for patching.

Strategic Implications for the WordPress Ecosystem

The rapid coordination between Cloudflare and WordPress’ security team highlights the escalating threat landscape for the platform, which powers over 43% of the web. The forced automatic update policy used by WordPress for such high-severity issues sets a precedent for proactive defense. However, site owners should verify their patch status, as not all hosts support automatic updates.

This incident arrives amidst a flurry of WordPress developments. Recent reports also cover the new resizable editor, performance boosts in WordPress Studio, and the rise of agentic commerce. While these features drive innovation, security remains the bedrock of trust. The Cloudflare WAF rules provide a crucial safety net while the ecosystem updates.

According to analysis from Andres SEO Expert, the dual nature of the vulnerabilities — SQLi and RCE — indicates a systemic risk in the REST API and cache handling. Organizations running WordPress should review their object cache configurations and ensure they are on the latest patched versions. The WAF rules, while effective, should be considered a temporary measure; the only permanent fix is updating WordPress core.

Are You Prepared for the Next Wave of WordPress Threats?

Cloudflare’s swift action demonstrates the value of a robust web application firewall in a defense-in-depth strategy. However, the fundamental responsibility lies with site administrators to maintain updated software. As WordPress continues to evolve with AI and commerce integrations, the attack surface will only grow.

Staying ahead in the rapidly shifting landscape of WordPress requires precision. To future-proof your digital strategy and scale effortlessly, you need a foundation built on precision. Optimize your site with advanced speed engineering, secure your infrastructure in high-performance hosting environments, and streamline your entire workflow through autonomous AI pipelines. If you are ready to elevate your systems, Connect with Andres at Andres SEO Expert to build your ultimate architecture.

Frequently Asked Questions

What are the two critical WordPress vulnerabilities addressed by Cloudflare?

Cloudflare deployed WAF rules to block CVE-2026-60137 (SQL injection) and CVE-2026-63030 (unauthenticated remote code execution). The SQLi affects WordPress 6.8+, and the RCE affects 6.9+ via the REST API batch endpoint when no persistent object cache is used.

Which WordPress versions are patched for these flaws?

WordPress released patches in versions 7.0.2, 6.9.5, 6.8.6, and 7.1 Beta 2. The company is forcing automatic updates for affected sites.

What did Cloudflare do in response to the vulnerabilities?

Cloudflare deployed two dedicated WAF rules on July 17, 2026 at 17:03 UTC. One blocks SQL injection attempts (CVE-2026-60137) and the other blocks RCE exploit attempts (CVE-2026-63030). Both rules are set to ‘Block’ by default and are available to all Cloudflare customers, including free plan users, as long as traffic is proxied through the WAF.

Are the Cloudflare WAF rules a permanent fix?

No, Cloudflare stresses that these WAF rules are a temporary mitigation and not a substitute for patching. Site administrators should update WordPress to the latest patched version as soon as possible.

How can I ensure my site is protected if I use Cloudflare?

Ensure your traffic is proxied through Cloudflare’s WAF. Free plan users receive automatic protection. Pro, Business, or Enterprise customers should verify that Managed Rules are enabled. The rules are part of Cloudflare’s Managed Ruleset and Free Ruleset.

What strategic implications does this incident have for WordPress site owners?

The dual SQLi and RCE vulnerabilities indicate systemic risk in the REST API and cache handling. Organizations should review object cache configurations and ensure they are on the latest WordPress versions. The forced automatic update policy sets a precedent, but site owners should verify patch status, especially if their host does not support automatic updates.

Why is the RCE vulnerability more critical than the SQLi one?

The RCE (CVE-2026-63030) allows unauthenticated attackers to execute arbitrary code via the REST API batch endpoint when no persistent object cache is used, making it easier to fully compromise a site. The SQLi allows crafted input to alter database queries, which can also lead to data breaches.

Prev Next

Subscribe to My Newsletter

Subscribe to my email newsletter to get the latest posts delivered right to your email. Pure inspiration, zero spam.
You agree to the Terms of Use and Privacy Policy