Network provider Cloudflare recently published a blog post about emergency Web Application Firewall (WAF) rules. These new rules actively block the dangerous wp2shell vulnerability exploits. This specific flaw represents a critical Remote Code Execution (RCE) vulnerability inside the core WordPress code. Malicious actors can gain full administrative control over websites and databases without any authentication. Consequently, this severe breach creates massive security risks for site owners.
WordPress Issues Urgent Security Updates
After cybersecurity experts reported the flaw, the WordPress team immediately released multiple emergency patches. These crucial updates cover the 6.8.x, 6.9.x, 7.0.x, and 7.1.x branches. Because this exploit carries exceptionally high severity, developers utilized automated push updates. This proactive measure seamlessly upgrades the core versions for affected websites.
However, WordPress only executes minor version updates within existing branches to maintain software compatibility. For example, a 6.8.x installation will not directly upgrade to the 7.1.x series. Therefore, developers and webmasters must check their administrative dashboards for pending updates.
Cloudflare Swiftly Deploys WAF Rules
Cloudflare also received a direct security bulletin from the core WordPress team. Consequently, the provider proactively added two new rules to their firewall configurations. These specific directives effectively block unauthenticated Remote Code Execution and SQL injection flaws within the REST API. Furthermore, these essential protections activate automatically for all free-tier users. Meanwhile, premium account administrators should manually verify rule activation inside their dashboards.
As a result, WordPress sites on this network can automatically mitigate attacks using these free WAF rules. As detailed in their latest overview of WordPress vulnerabilities, staying protected is vital. Nevertheless, the safest strategy is always upgrading to a secure, patched version. Ultimately, updating your software completely removes the underlying security flaws.
Cloudflare WAF Rule Set Specifications
Newly Added Rule Set 1
- Rule Description: CVE-2026-63030 WordPress RCE Vulnerability
- Managed Rule Set ID: 7dfb2bd4708d4b88b9911dc0550664b6
- Free Rule Set ID: ebd3f2df15c74ddcbf6220c9b5ec246a
- Default Action: Block (Intercepts threats immediately upon detection)
Newly Added Rule Set 2
- Rule Description: CVE-2026-60137 WordPress SQL Injection
- Managed Rule Set ID: 1c060d3a371549219ee290d7ed933fcc
- Free Rule Set ID: db003b39b7774859a8d588ce33697a1a
- Default Action: Block (Intercepts threats immediately upon detection)
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.