WordPress 7.0.2 Release – WordPress News
Skip to content
Get WordPress
WordPress.org
News
WordPress 7.0.2 Release
All posts
Search results
WordPress 7.0.2 is now available.
The 7.0.2 security release addresses one critical and one high severity security issue.
Because this is a security release, it is recommended that you update your sites immediately. Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions.
To manually update you can visit your WordPress Dashboard, click “Updates”, and then click “Update Now”, or you can download WordPress 7.0.2 from WordPress.org. On sites that support automatic background updates, the update process will begin automatically.
Security updates included in this release
The security team would like to thank the following people for responsibly reporting vulnerabilities and allowing them to be fixed in this release:
A facilitated SQL injection issue reported as a team by TF1T, dtro, and haongo
A REST API batch-route confusion and SQL injection issue leading to Remote Code Execution reported by Adam Kues at Assetnote / Searchlight Cyber
For more information on this release, please visit the HelpHub site.
Backports
WordPress 6.9 is affected by both vulnerabilities. Version 6.9.5 has been released containing fixes for both.
WordPress 6.8 is only affected by the first vulnerability. Version 6.8.6 has been released containing a fix.
The beta release of WordPress 7.1 is affected by both vulnerabilities. Version 7.1 beta2 has been released containing fixes for both.
Versions of WordPress prior to 6.8 are not affected.
CVE and GHSA references
CVE-2026-60137 / GHSA-fpp7-x2x2-2mjf
CVE-2026-63030 / GHSA-ff9f-jf42-662q
Thank you to these WordPress contributors
This release was led by John Blackbourn and Barry Abrahamson. In addition to the security researchers mentioned above, WordPress 7.0.2 would not have been possible without the significant contributions of the following people: Aaron Jorbin, Alex Concha, annezazu, Barry, David Baumwald, Dominik Schilling, Ehtisham Siddiqui, Joe Dolson, Joe Hoyle, John Blackbourn, Jonathan Desrosiers, Marius L. J., Matt Mullenweg, Mohammad Jangda, Peter Wilson, Sergey Biryukov, vortfu, Weston Ruter, plus representatives from Altis, Automattic, Bluehost, Cloudflare, GoDaddy, Hostinger, and WP Engine.
Share this:
Share on Threads (Opens in new window)Threads
Share on Mastodon (Opens in new window)Mastodon
Share on Bluesky (Opens in new window)Bluesky
Share on X (Opens in new window)X
Share on Facebook (Opens in new window)Facebook
Share on LinkedIn (Opens in new window)LinkedIn
Get the Latest Updates
Subscribe to WordPress News
Email Address
Subscribe
Join 20.6K other subscribers
Contribute to WordPress
WordPress is open-source software created by a global community. There are many ways to get involved, whether through code, design, documentation, and more.
WordPress.org
WordPress.org
Visit our X (formerly Twitter) account
Visit our Bluesky account
Visit our Mastodon account
Visit our Threads account
Visit our Facebook page
Visit our Instagram account
Visit our LinkedIn account
Visit our TikTok account
Visit our YouTube channel
Visit our Tumblr account
The WordPress® trademark is the intellectual property of the WordPress Foundation.