WordPress 7.0.2 is now available.
The 7.0.2 security release addresses one critical and one high severity security issue.
Because this is a security release, it is recommended that you update your sites immediately. Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions.
To manually update you can visit your WordPress Dashboard, click “Updates”, and then click “Update Now”, or you can download WordPress 7.0.2 from WordPress.org. On sites that support automatic background updates, the update process will begin automatically.
Security updates included in this release
The security team would like to thank the following people for responsibly reporting vulnerabilities and allowing them to be fixed in this release:
- A facilitated SQL injection issue reported as a team by TF1T, dtro, and haongo
- A REST API batch-route confusion and SQL injection issue leading to Remote Code Execution reported by Adam Kues at Assetnote / Searchlight Cyber
For more information on this release, please visit the HelpHub site.
Backports
- WordPress 6.9 is affected by both vulnerabilities. Version 6.9.5 has been released containing fixes for both.
- WordPress 6.8 is only affected by the first vulnerability. Version 6.8.6 has been released containing a fix.
- The beta release of WordPress 7.1 is affected by both vulnerabilities. Version 7.1 beta2 has been released containing fixes for both.
- Versions of WordPress prior to 6.8 are not affected.
CVE and GHSA references
Thank you to these WordPress contributors
This release was led by John Blackbourn and Barry Abrahamson. In addition to the security researchers mentioned above, WordPress 7.0.2 would not have been possible without the significant contributions of the following people: Aaron Jorbin, Alex Concha, annezazu, Barry, David Baumwald, Dominik Schilling, Ehtisham Siddiqui, Joe Dolson, Joe Hoyle, John Blackbourn, Jonathan Desrosiers, Marius L. J., Matt Mullenweg, Mohammad Jangda, Peter Wilson, Sergey Biryukov, vortfu, Weston Ruter, plus representatives from Altis, Automattic, Bluehost, Cloudflare, GoDaddy, Hostinger, and WP Engine.

