{"id":11333,"date":"2026-07-18T08:06:16","date_gmt":"2026-07-18T02:36:16","guid":{"rendered":"https:\/\/4ksamachar.com\/?p=11333"},"modified":"2026-07-18T08:06:16","modified_gmt":"2026-07-18T02:36:16","slug":"matt-important-security-update","status":"publish","type":"post","link":"https:\/\/4ksamachar.com\/?p=11333","title":{"rendered":"Matt: Important Security Update"},"content":{"rendered":"<p class=\"wp-block-paragraph\"><a href=\"https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/\" target=\"_blank\" rel=\"noopener\">WordPress 7.0.2<\/a> went out today with two important security updates. One is a type of pre-authorization RCE we (fortunately!) have only seen a few times in WordPress\u2019 23-year history; the last, I believe, <a href=\"https:\/\/wordpress.org\/documentation\/wordpress-version\/version-4-6-21\/\" target=\"_blank\" rel=\"noopener\">in the PHPMailer class five years ago<\/a>. <\/p>\n<p class=\"wp-block-paragraph\">Major kudos to <a href=\"https:\/\/x.com\/hash_kitten\">Adam Kues<\/a> of <a href=\"https:\/\/slcyber.io\/\" target=\"_blank\" rel=\"noopener\">Searchlight Cyber<\/a> for finding the batch REST API RCE, to TF1T, dtro, and haongo on the facilitated SQL injection! <\/p>\n<p class=\"wp-block-paragraph\">Thanks to <a href=\"https:\/\/en.wikipedia.org\/wiki\/Coordinated_vulnerability_disclosure\" target=\"_blank\" rel=\"noopener\">responsible disclosure<\/a>, the WordPress.org Security team was able to coordinate with hosts and CDNs to mitigate the attack at the network layer. <em>Please upgrade anyway!<\/em> But it\u2019s a huge relief to know the vast majority of WordPress sites were protected by <a href=\"https:\/\/en.wikipedia.org\/wiki\/Defense_in_depth_(computing)\" target=\"_blank\" rel=\"noopener\">defense-in-depth<\/a> even before the updates went out. <\/p>\n<p class=\"wp-block-paragraph\">I really appreciate how people and organizations that otherwise might not be on the best of terms come together in times like this. (<a href=\"https:\/\/wordpress.org\/news\/2026\/07\/wordpress-7-0-2-release\/\" target=\"_blank\" rel=\"noopener\">Full credits in the release post<\/a>.) Everyone buries the hatchet to protect as many people as possible as quickly as possible.<\/p>\n<p class=\"wp-block-paragraph\">I\u2019ve said it before, I\u2019ll say it again: security is going to be a big topic this year as the technology industry digests the incredible advances in AI models. It\u2019s a good time to review your plans and processes, sweat the details, <a href=\"https:\/\/www.amazon.com\/dp\/1953953492\" target=\"_blank\" rel=\"noopener\">invest in maintenance<\/a>, and <a href=\"https:\/\/en.wikipedia.org\/wiki\/System_Administrator_Appreciation_Day\" target=\"_blank\" rel=\"noopener\">hug a sysadmin<\/a>. <img decoding=\"async\" alt=\"\ud83d\ude42\" class=\"wp-smiley\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f642.png\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WordPress 7.0.2 went out today with two important security updates. One is a type of pre-authorization RCE we (fortunately!) have only seen a few times in WordPress\u2019 23-year history; the last, I believe, in the PHPMailer class five years ago. Major kudos to Adam Kues of Searchlight Cyber for finding the batch REST API RCE, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11333","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"blog_post_layout_featured_media_urls":{"thumbnail":"","full":""},"categories_names":{"1":{"name":"Uncategorized","link":"https:\/\/4ksamachar.com\/?cat=1"}},"tags_names":[],"comments_number":"0","wpmagazine_modules_lite_featured_media_urls":{"thumbnail":"","cvmm-medium":"","cvmm-medium-plus":"","cvmm-portrait":"","cvmm-medium-square":"","cvmm-large":"","cvmm-small":"","full":""},"_links":{"self":[{"href":"https:\/\/4ksamachar.com\/index.php?rest_route=\/wp\/v2\/posts\/11333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/4ksamachar.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/4ksamachar.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/4ksamachar.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/4ksamachar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11333"}],"version-history":[{"count":0,"href":"https:\/\/4ksamachar.com\/index.php?rest_route=\/wp\/v2\/posts\/11333\/revisions"}],"wp:attachment":[{"href":"https:\/\/4ksamachar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/4ksamachar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/4ksamachar.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}