The WordPress security team received reports about these flaws:
CVE-2026-60137 : A facilitated SQL injection issue reported as a team by TF1T, dtro, and haongo
By infosecbulletin
/ Saturday , July 18 2026
A new free tool is adding AI helpers into security work. PentestCode is a version of OpenCode made just for...
Read More
By infosecbulletin
/ Saturday , July 18 2026
The WordPress security team received reports about these flaws: CVE-2026-60137 : A facilitated SQL injection issue reported as a team...
Read More
By infosecbulletin
/ Friday , July 17 2026
A Windows security flaw called LegacyHive (MSNightmare) misuses the User Profile Service. This allows local users to gain higher privileges,...
Read More
By infosecbulletin
/ Thursday , July 16 2026
Zoom has issued updates for a flaw in the Windows desktop client, known as CVE-2026-53412. This issue may allow an...
Read More
By infosecbulletin
/ Thursday , July 16 2026
India is speeding up its work to make homegrown AI models for cybersecurity. These models will help protect important digital...
Read More
By infosecbulletin
/ Wednesday , July 15 2026
A serious security flaw in Cursor, a popular AI code editor used by more than 7 million developers, lets attackers...
Read More
By infosecbulletin
/ Wednesday , July 15 2026
Microsoft's Patch Tuesday in July 2026 fixes around 570 security flaws in its products. This comes after June's big update,...
Read More
By infosecbulletin
/ Wednesday , July 15 2026
Fortinet fixes seven new security warnings on July 14, 2026. These affect FortiOS, FortiProxy, FortiPAM, and FortiSandbox. The issues vary...
Read More
By infosecbulletin
/ Tuesday , July 14 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that hackers are using CVE-2008-4128, a CSRF flaw in Cisco...
Read More
By infosecbulletin
/ Tuesday , July 14 2026
Meta announced on Monday that its data center in Richland Parish, Louisiana, will grow to 5 gigawatts of computing power....
Read More
CVE-2026-63030 : A REST API batch-route confusion and SQL injection issue leading to Remote Code Execution reported by Adam Kues at Assetnote / Searchlight Cyber
Which versions of WordPress are vulnerable?
WordPress 6.9 is affected by both vulnerabilities. Version 6.9.5 has been released containing fixes for both.
WordPress 6.8 is only affected by the first vulnerability. Version 6.8.6 has been released containing a fix.
The beta release of WordPress 7.1 is affected by both vulnerabilities. Version 7.1 beta2 has been released containing fixes for both.
Versions of WordPress prior to 6.8 are not affected.
Emergency temporary mitigation
If you can’t do that, Security Researchers at Searchlight Cyber suggest you can temporarily protect your instance by blocking anonymous access to the batch API by:
Installing a plugin that blocks anonymous access to the rest API entirely; or
Blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level.
Note that both these solutions may have impact on legitimate use of the site and should only be considered emergency temporary measures until you can update.