Critical WordPress flaw lets attackers take over sites without logging in

A newly disclosed flaw in WordPress Core lets an attacker take full control of a website without any password, account, or user interaction, and the researchers who found it warn that a working exploit could appear within days. Tracked as CVE-2026-63030, the bug was disclosed on July 17, 2026 through a GitHub Security Advisory and is rated Critical.

Because WordPress powers a large share of the public web, a remotely exploitable bug in its core software puts a very large number of internet-facing sites at risk. The flaw sits in the WordPress REST API batch endpoint, a feature reachable over the network on a default installation, and it can be triggered by an unauthenticated request.

What is affected

The vulnerability affects WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1. It is fixed in WordPress 6.9.5 and 7.0.2, and the fix is also folded into the 7.1 Beta 2 release. Sites on releases earlier than 6.9 are not affected by this specific issue. Researchers at Searchlight Cyber, who identified the bug, said it can be exploited remotely against a default WordPress site with no extra plugins installed. Cloudflare noted that the vulnerable code path is reachable when a site is not using a persistent object cache.

How the attack works

The REST API batch endpoint lets a client bundle several API calls into a single request. On affected versions an unauthenticated attacker can abuse that endpoint to execute code on the server, which can lead to complete compromise of the site and the data behind it. No valid login and no victim interaction are required, which is what makes an unauthenticated remote code execution bug so dangerous. As of the initial disclosure, Searchlight Cyber had not published technical exploit details, and Rapid7 said it was not aware of confirmed exploitation in the wild.

That is not a reason to wait. Rapid7 Labs assessed that a public proof of concept is highly likely to appear quickly, in part because WordPress is open source and its code can be analyzed rapidly, including with AI tooling. The sites exposed the moment an exploit lands are the ones already running an unpatched version today.

What you should do

The urgency echoes a run of recently exploited internet-facing bugs, from a SharePoint flaw CISA added to its exploited list to the record July Patch Tuesday, where the gap between disclosure and mass exploitation keeps shrinking. Full details are in the original Rapid7 Labs analysis.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions