Categories: WordPress News

WordPress 7.0.2 Release

WordPress 7.0.2 is now available.

The 7.0.2 security release addresses one critical and one high severity security issue.

Because this is a security release, it is recommended that you update your sites immediately. Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions.

To manually update you can visit your WordPress Dashboard, click “Updates”, and then click “Update Now”, or you can download WordPress 7.0.2 from WordPress.org. On sites that support automatic background updates, the update process will begin automatically.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities and allowing them to be fixed in this release:

  • A facilitated SQL injection issue reported as a team by TF1T, dtro, and haongo
  • A REST API batch-route confusion and SQL injection issue leading to Remote Code Execution reported by Adam Kues at Assetnote / Searchlight Cyber

For more information on this release, please visit the HelpHub site.

Backports

  • WordPress 6.9 is affected by both vulnerabilities. Version 6.9.5 has been released containing fixes for both.
  • WordPress 6.8 is only affected by the first vulnerability. Version 6.8.6 has been released containing a fix.
  • The beta release of WordPress 7.1 is affected by both vulnerabilities. Version 7.1 beta2 has been released containing fixes for both.
  • Versions of WordPress prior to 6.8 are not affected.

CVE and GHSA references

Thank you to these WordPress contributors

This release was led by John Blackbourn and Barry Abrahamson. In addition to the security researchers mentioned above, WordPress 7.0.2 would not have been possible without the significant contributions of the following people: Aaron Jorbin, Alex Concha, annezazu, Barry, David Baumwald, Dominik Schilling, Ehtisham Siddiqui, Joe Dolson, Joe Hoyle, John Blackbourn, Jonathan Desrosiers, Marius L. J., Matt Mullenweg, Mohammad Jangda, Peter Wilson, Sergey Biryukov, vortfu, Weston Ruter, plus representatives from Altis, Automattic, Bluehost, Cloudflare, GoDaddy, Hostinger, and WP Engine.

A WordPress Commenter

Recent Posts

WordPress 7.1 Beta 1

WordPress 7.1 Beta 1 is ready for download and testing!  This beta release is intended…

2 days ago

Performance Chat Summary: 14 July 2026

The full chat log is available beginning here on Slack. WordPress Performance Trac tickets @westonruter…

3 days ago

Your Guide to WordCamp US 2026

August 16-19, 2026 | Phoenix Convention Center, Phoenix, Arizona WordCamp US 2026 returns for another…

4 days ago

WordPress 7.0.1 Maintenance Release

WordPress 7.0.1 is now available! This minor release includes fixes for 31 bugs throughout Core and the Block…

1 week ago

Performance Chat Summary: 30 June 2026

The full chat log is available beginning here on Slack. WordPress Performance Trac tickets @westonruter…

2 weeks ago

The First AI Leaders Graduates

On June 23, around 40 students from the University of Illinois Chicago (UIC), Louisiana Tech…

3 weeks ago