Two critical SQLi vulnerabilities in WordPress

nikcub1 pts0 comments

WordPress 7.0.2 Release – WordPress News

Skip to content

Get WordPress

WordPress.org

News

WordPress 7.0.2 Release

All posts

Search results

WordPress 7.0.2 is now available.

The 7.0.2 security release addresses one critical and one high severity security issue.

Because this is a security release, it is recommended that you update your sites immediately. Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions.

To manually update you can visit your WordPress Dashboard, click “Updates”, and then click “Update Now”, or you can download WordPress 7.0.2 from WordPress.org. On sites that support automatic background updates, the update process will begin automatically.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities and allowing them to be fixed in this release:

A facilitated SQL injection issue reported as a team by TF1T, dtro, and haongo

A REST API batch-route confusion and SQL injection issue leading to Remote Code Execution reported by Adam Kues at Assetnote / Searchlight Cyber

For more information on this release, please visit the HelpHub site.

Backports

WordPress 6.9 is affected by both vulnerabilities. Version 6.9.5 has been released containing fixes for both.

WordPress 6.8 is only affected by the first vulnerability. Version 6.8.6 has been released containing a fix.

The beta release of WordPress 7.1 is affected by both vulnerabilities. Version 7.1 beta2 has been released containing fixes for both.

Versions of WordPress prior to 6.8 are not affected.

CVE and GHSA references

CVE-2026-60137 / GHSA-fpp7-x2x2-2mjf

CVE-2026-63030 / GHSA-ff9f-jf42-662q

Thank you to these WordPress contributors

This release was led by John Blackbourn and Barry Abrahamson. In addition to the security researchers mentioned above, WordPress 7.0.2 would not have been possible without the significant contributions of the following people: Aaron Jorbin, Alex Concha, annezazu, Barry, David Baumwald, Dominik Schilling, Ehtisham Siddiqui, Joe Dolson, Joe Hoyle, John Blackbourn, Jonathan Desrosiers, Marius L. J., Matt Mullenweg, Mohammad Jangda, Peter Wilson, Sergey Biryukov, vortfu, Weston Ruter, plus representatives from Altis, Automattic, Bluehost, Cloudflare, GoDaddy, Hostinger, and WP Engine.

Share this:

Share on Threads (Opens in new window)Threads

Share on Mastodon (Opens in new window)Mastodon

Share on Bluesky (Opens in new window)Bluesky

Share on X (Opens in new window)X

Share on Facebook (Opens in new window)Facebook

Share on LinkedIn (Opens in new window)LinkedIn

Get the Latest Updates

Subscribe to WordPress News

Email Address

Subscribe

Join 20.6K other subscribers

Contribute to WordPress

WordPress is open-source software created by a global community. There are many ways to get involved, whether through code, design, documentation, and more.

WordPress.org

WordPress.org

Visit our X (formerly Twitter) account

Visit our Bluesky account

Visit our Mastodon account

Visit our Threads account

Visit our Facebook page

Visit our Instagram account

Visit our LinkedIn account

Visit our TikTok account

Visit our YouTube channel

Visit our Tumblr account

The WordPress® trademark is the intellectual property of the WordPress Foundation.

wordpress visit release account share security

Related Articles