{"id":5860,"date":"2026-07-18T02:36:16","date_gmt":"2026-07-18T02:36:16","guid":{"rendered":"https:\/\/frontlinenewsng.org\/?p=5860"},"modified":"2026-07-18T02:36:16","modified_gmt":"2026-07-18T02:36:16","slug":"matt-important-security-update","status":"publish","type":"post","link":"https:\/\/frontlinenewsng.org\/?p=5860","title":{"rendered":"Matt: Important Security Update"},"content":{"rendered":"<p class=\"wp-block-paragraph\"><a href=\"https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/\">WordPress 7.0.2<\/a> went out today with two important security updates. One is a type of pre-authorization RCE we (fortunately!) have only seen a few times in WordPress\u2019 23-year history; the last, I believe, <a href=\"https:\/\/wordpress.org\/documentation\/wordpress-version\/version-4-6-21\/\">in the PHPMailer class five years ago<\/a>. <\/p>\n<p class=\"wp-block-paragraph\">Major kudos to <a href=\"https:\/\/x.com\/hash_kitten\">Adam Kues<\/a> of <a href=\"https:\/\/slcyber.io\/\">Searchlight Cyber<\/a> for finding the batch REST API RCE, to TF1T, dtro, and haongo on the facilitated SQL injection! <\/p>\n<p class=\"wp-block-paragraph\">Thanks to <a href=\"https:\/\/en.wikipedia.org\/wiki\/Coordinated_vulnerability_disclosure\">responsible disclosure<\/a>, the WordPress.org Security team was able to coordinate with hosts and CDNs to mitigate the attack at the network layer. <em>Please upgrade anyway!<\/em> But it\u2019s a huge relief to know the vast majority of WordPress sites were protected by <a href=\"https:\/\/en.wikipedia.org\/wiki\/Defense_in_depth_(computing)\">defense-in-depth<\/a> even before the updates went out. <\/p>\n<p class=\"wp-block-paragraph\">I really appreciate how people and organizations that otherwise might not be on the best of terms come together in times like this. (<a href=\"https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/\">Full credits in the release post<\/a>.) Everyone buries the hatchet to protect as many people as possible as quickly as possible.<\/p>\n<p class=\"wp-block-paragraph\">I\u2019ve said it before, I\u2019ll say it again: security is going to be a big topic this year as the technology industry digests the incredible advances in AI models. It\u2019s a good time to review your plans and processes, sweat the details, <a href=\"https:\/\/www.amazon.com\/dp\/1953953492\">invest in maintenance<\/a>, and <a href=\"https:\/\/en.wikipedia.org\/wiki\/System_Administrator_Appreciation_Day\">hug a sysadmin<\/a>. <img decoding=\"async\" alt=\"\ud83d\ude42\" class=\"wp-smiley\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f642.png\" \/><\/p>","protected":false},"excerpt":{"rendered":"<p>WordPress 7.0.2 went out today with two important security updates. One is a type of pre-authorization RCE we (fortunately!) have only seen a few times in WordPress\u2019 23-year history; the last, I believe, in the PHPMailer class five years ago. Major kudos to Adam Kues of Searchlight Cyber for finding the batch REST API RCE, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_seo_schema_type":"","_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[1],"tags":[],"class_list":["post-5860","post","type-post","status-publish","format-standard","hentry","category-latest-news"],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/frontlinenewsng.org\/index.php?rest_route=\/wp\/v2\/posts\/5860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/frontlinenewsng.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/frontlinenewsng.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/frontlinenewsng.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/frontlinenewsng.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5860"}],"version-history":[{"count":0,"href":"https:\/\/frontlinenewsng.org\/index.php?rest_route=\/wp\/v2\/posts\/5860\/revisions"}],"wp:attachment":[{"href":"https:\/\/frontlinenewsng.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/frontlinenewsng.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/frontlinenewsng.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}