WordPress 7.0.2 Release Addresses Critical SQL Injection and RCE Vulnerabilities
WordPress 7.0.2, released July 17, 2026, patches a critical SQL injection flaw and a high-severity REST API confusion leading to RCE, with forced updates enabled.

WordPress has released version 7.0.2, a critical security update addressing two significant vulnerabilities. The release, which went live on July 17, 2026, includes fixes for a critical SQL injection issue and a high-severity flaw in the REST API that could lead to Remote Code Execution (RCE).
Due to the severity of these security concerns, the WordPress.org security team has enabled forced updates for all sites running affected versions. This measure aims to ensure that users are protected as quickly as possible from potential exploitation. Users can manually update by navigating to their WordPress Dashboard, clicking on 'Updates,' and then selecting 'Update Now,' or by downloading the latest version directly from WordPress.org.
The first vulnerability, described as a "facilitated SQL injection issue," was responsibly reported by a team including TF1T, dtro, and haongo. While details are scarce, SQL injection flaws typically allow attackers to interfere with the queries that an application makes to its database, potentially leading to data theft or manipulation.
The second, more severe vulnerability, involves a "REST API batch-route confusion and SQL injection issue leading to Remote Code Execution." This was reported by Adam Kues at Assetnote / Searchlight Cyber. This type of flaw could allow an attacker to execute arbitrary code on the server hosting the WordPress site, granting them significant control.
In addition to the latest 7.0.2 release, patches have been backported to older, still-supported versions of WordPress. Version 6.9.5 now includes fixes for both vulnerabilities, while version 6.8.6 addresses the SQL injection flaw. Even the beta release of WordPress 7.1 has received an update to version 7.1 beta2 to include these critical fixes.
WordPress versions prior to 6.8 are not affected by these specific vulnerabilities. The release was led by John Blackbourn and Barry Abrahamson, with significant contributions from numerous security researchers and members of the WordPress community, including representatives from major hosting providers and development companies.
This proactive patching and forced update strategy underscores the ongoing commitment to WordPress security. Users are strongly advised to update their installations immediately to mitigate the risks associated with these critical vulnerabilities. The WordPress security team thanks all researchers who responsibly disclosed these issues, allowing for timely remediation.
Cloudflare has proactively deployed Web Application Firewall (WAF) rules to protect its customers from both CVE-2026-60137 (SQL injection) and CVE-2026-63030 (unauthenticated RCE) affecting WordPress versions 6.8+ and 6.9+ respectively. These WAF protections offer an additional layer of defense, blocking malicious requests before they reach vulnerable WordPress installations, thereby reducing exposure while users update to the patched versions.