WordPress shipped an emergency security release on July 17 fixing a critical flaw that let an anonymous attacker run code on a plain WordPress install with no plugins. Confirm your site is running version 7.0.2, 6.9.5, or 6.8.6. Security researchers are already seeing attackers probe for it.
What happened
WordPress 7.0.2 fixes two bugs that combine into one serious problem.
The first is a SQL injection bug in WP_Query, the code WordPress uses to fetch content from your database. Normally, the REST API blocks this bug by checking that certain input is a list of numbers before it reaches the database.
The second bug breaks that check. A flaw in the REST API’s batch request feature, which lets multiple API calls run together, mixes up which handler validates which piece of data. That mix-up lets an attacker skip the number check entirely and send raw database commands instead. Chained together, the two bugs let an attacker with no account on your site take it over completely.
The batch request feature has existed since WordPress 5.6 in 2020. The bug that made it exploitable arrived only in WordPress 6.9. Security firm Patchstack, which published a technical breakdown of the chain, says it has already observed exploitation attempts in its logs.
Who is at risk
The SQL injection bug affects WordPress 6.8 through 7.0.1. The full remote-code-execution chain affects versions 6.9 through 7.0.1. Sites running WordPress 6.7 or earlier are not affected.
Security firm Wordfence notes one mitigating factor: sites that run a persistent object cache, such as Redis or Memcached, may not be exposed to the full attack chain. Many managed WordPress hosts run this kind of caching by default, though you should not treat that as a substitute for updating.
What to do
WordPress.org has turned on forced automatic updates for affected sites, so many of you may already be patched. Don’t assume. Check. Log in to your WordPress Dashboard, click Updates, and confirm your version reads 7.0.2 (or 6.9.5 or 6.8.6 if you’re on an older branch). If you’re running WordPress 7.1 Beta for testing, update to Beta 2, which includes the fix.
If Wordfence protects your site, Premium, Care, and Response customers received a firewall rule against the exploit on July 17. Free users get the same protection on August 16, 2026, so updating core promptly matters more in the meantime.
End of article