WordPress 7.0.2: Critical Security Patches You Need Now
WordPress released version 7.0.2 to fix one critical and one high-severity security vulnerability. If your site runs WordPress 6.8, 6.9, or 7.0.x, you are affected. The WordPress team has enabled forced auto-updates for these versions, but if you disabled auto-updates, you must update manually immediately.
What are the vulnerabilities?
The first is a facilitated SQL injection issue reported by researchers TF1T, dtro, and haongo. The second is a REST API batch-route confusion combined with SQL injection that can lead to Remote Code Execution (RCE), reported by Adam Kues at Assetnote/Searchlight Cyber. RCE means an attacker could potentially take full control of your server.
Which versions are affected?
- WordPress 6.9: both vulnerabilities → update to 6.9.5
- WordPress 6.8: only the first vulnerability → update to 6.8.6
- WordPress 7.0.x: both vulnerabilities → update to 7.0.2
- WordPress 7.1 beta: both vulnerabilities → update to 7.1 beta2
- Versions prior to 6.8: not affected
What does this mean for your business?
If you use a managed WordPress host (like WP Engine, Bluehost, or Cloudflare), they likely already applied the patch. If you self-host or manage your own updates, check your WordPress admin dashboard under Dashboard → Updates. If you see 7.0.2 available, update now. Delaying exposes your site to potential data breaches, malware, or complete takeover.
What This Means for Your Business
For most small businesses on managed hosting, this update will happen automatically. But if you run custom code, have disabled auto-updates, or use a staging workflow, you need to act today. The RCE vulnerability is especially dangerous because it doesn't require authentication—anyone on the internet could exploit it.
Your Move: Log into your WordPress admin and check your version. If it's not 7.0.2 (or 6.9.5/6.8.6 for older branches), click 'Update Now' immediately. Then verify your site is still working correctly.
FAQ
Probably not—your host likely applied the patch automatically. But verify your site version to be safe.
Your site remains vulnerable to SQL injection and remote code execution, which could lead to data theft, malware, or complete site takeover.

