Important Security Update
Essential brief
WordPress 7.0.2 was released on July 18, 2026, addressing two significant security vulnerabilities, including a rare pre-authorization remote code execution (RCE) flaw in the batch REST API. This u
Key topics
Key facts
Highlights
Why it matters
The WordPress 7.0.2 update addresses a rare and potentially severe security vulnerability that could allow unauthorized remote code execution, posing significant risks to millions of websites. Prompt application of this patch is essential to prevent exploitation and maintain the integrity of WordPress sites worldwide. This update highlights the importance of ongoing security vigilance in widely used open-source platforms.
On July 18, 2026, WordPress released version 7.0.2, which includes two important security patches. One of these vulnerabilities is a rare pre-authorization remote code execution (RCE) flaw found in the batch REST API. Such vulnerabilities have been infrequent in WordPress' 23-year history, with the last similar issue occurring about five years ago in the PHPMailer class. The discovery of this batch REST API RCE was credited to Adam Kues of Searchlight Cyber. This update addresses these critical security concerns to prevent potential exploitation by attackers. WordPress users and administrators are strongly encouraged to apply this update immediately to safeguard their websites. The update underscores the ongoing commitment to security within the WordPress ecosystem and highlights the importance of timely patching. While details of the vulnerabilities are limited to paid plans, the release emphasizes the need for vigilance in maintaining website security. This release serves as a reminder of the evolving threat landscape and the necessity for continuous monitoring and updating of web platforms.
Key topics in this update include important security, WordPress 7.0.2, and July 18.