{"id":2549,"date":"2026-07-18T02:36:16","date_gmt":"2026-07-18T02:36:16","guid":{"rendered":"https:\/\/mailurdu.co.uk\/?p=2549"},"modified":"2026-07-18T02:36:16","modified_gmt":"2026-07-18T02:36:16","slug":"matt-important-security-update","status":"publish","type":"post","link":"https:\/\/mailurdu.co.uk\/?p=2549","title":{"rendered":"Matt: Important Security Update"},"content":{"rendered":"<p class=\"wp-block-paragraph\"><a href=\"https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/\">WordPress 7.0.2<\/a> went out today with two important security updates. One is a type of pre-authorization RCE we (fortunately!) have only seen a few times in WordPress\u2019 23-year history; the last, I believe, <a href=\"https:\/\/wordpress.org\/documentation\/wordpress-version\/version-4-6-21\/\">in the PHPMailer class five years ago<\/a>. <\/p>\n<p class=\"wp-block-paragraph\">Major kudos to <a href=\"https:\/\/x.com\/hash_kitten\">Adam Kues<\/a> of <a href=\"https:\/\/slcyber.io\/\">Searchlight Cyber<\/a> for finding the batch REST API RCE, to TF1T, dtro, and haongo on the facilitated SQL injection! <\/p>\n<p class=\"wp-block-paragraph\">Thanks to <a href=\"https:\/\/en.wikipedia.org\/wiki\/Coordinated_vulnerability_disclosure\">responsible disclosure<\/a>, the WordPress.org Security team was able to coordinate with hosts and CDNs to mitigate the attack at the network layer. <em>Please upgrade anyway!<\/em> But it\u2019s a huge relief to know the vast majority of WordPress sites were protected by <a href=\"https:\/\/en.wikipedia.org\/wiki\/Defense_in_depth_(computing)\">defense-in-depth<\/a> even before the updates went out. <\/p>\n<p class=\"wp-block-paragraph\">I really appreciate how people and organizations that otherwise might not be on the best of terms come together in times like this. (<a href=\"https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/\">Full credits in the release post<\/a>.) Everyone buries the hatchet to protect as many people as possible as quickly as possible.<\/p>\n<p class=\"wp-block-paragraph\">I\u2019ve said it before, I\u2019ll say it again: security is going to be a big topic this year as the technology industry digests the incredible advances in AI models. It\u2019s a good time to review your plans and processes, sweat the details, <a href=\"https:\/\/www.amazon.com\/dp\/1953953492\">invest in maintenance<\/a>, and <a href=\"https:\/\/en.wikipedia.org\/wiki\/System_Administrator_Appreciation_Day\">hug a sysadmin<\/a>. <img decoding=\"async\" alt=\"\ud83d\ude42\" class=\"wp-smiley\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f642.png\"\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WordPress 7.0.2 went out today with two important security updates. One is a type of pre-authorization RCE we (fortunately!) have only seen a few times in WordPress\u2019 23-year history; the last, I believe, in the PHPMailer class five years ago. <a class=\"read-more\" href=\"https:\/\/mailurdu.co.uk\/?p=2549\">\u0645\u0632\u06cc\u062f \u067e\u0691\u06be\u06cc\u06ba<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2549","post","type-post","status-publish","format-standard","hentry","category-pakistan"],"_links":{"self":[{"href":"https:\/\/mailurdu.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/2549","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mailurdu.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mailurdu.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mailurdu.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mailurdu.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2549"}],"version-history":[{"count":0,"href":"https:\/\/mailurdu.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/2549\/revisions"}],"wp:attachment":[{"href":"https:\/\/mailurdu.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mailurdu.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mailurdu.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}