Aikido.Dev
Critical RCE Vulnerability in WordPress Core Requires Immediate Patch
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
On July 17, 2026, WordPress released version 7.0.2 to address a critical unauthenticated remote code execution (RCE) vulnerability, affecting over 500 million websites. The flaw, identified by Adam Kues of Searchlight Cyber, stems from a REST API batch-route confusion that allows anonymous attackers to exploit stock installations without plugins. Forced auto-updates have been enabled for affected sites due to the vulnerability's severity. Users are advised to update immediately to version 7.0.2 or 6.9.5 if on the 6.9 branch. Temporary mitigation measures include blocking access to the REST API batch endpoint. This incident marks the second SQL injection issue in a single WordPress core release, highlighting ongoing security challenges within the platform.
Key Points: • A critical RCE vulnerability in WordPress affects over 500 million sites. • Users must update to version 7.0.2 or 6.9.5 immediately to mitigate risks. • Temporary measures include blocking access to specific REST API endpoints.