WordPress 7.0.2 Critical Security Update: Affected Versions and Immediate Checklist

Direct answer: update affected WordPress sites immediately. WordPress 7.0.2 was released on July 17, 2026 to fix one critical and one high-severity security issue. WordPress.org has enabled forced automatic updates for affected sites, but administrators should still verify the installed version, backups, site health and logs rather than assume the update completed.

Fast action checklist

  1. Take a fresh database and files backup.
  2. Check the installed WordPress core version.
  3. Update to 7.0.2, or install the appropriate security backport listed below.
  4. Verify the public site, login, REST API, forms, checkout and scheduled tasks.
  5. Review admin users and recent security/application logs for unexpected activity.

Which WordPress versions are affected?

The official WordPress release announcement provides this version guidance:

Installed branch Official status Security update
WordPress 7.0 Affected Update to 7.0.2
WordPress 6.9 Affected by both issues Update to 6.9.5
WordPress 6.8 Affected by the first issue Update to 6.8.6
WordPress 7.1 beta Affected by both issues Update test sites to 7.1 beta 2
Versions before 6.8 Not affected by these two disclosed issues Still plan an upgrade: WordPress notes that only the latest version is actively supported

Important: “not affected by these two issues” does not mean an old WordPress branch is generally safe or supported. It only describes the scope of this release.

What WordPress 7.0.2 fixes

WordPress.org lists two security fixes:

  • A facilitated SQL injection issue.
  • A REST API batch-route confusion and SQL injection issue that could lead to remote code execution.

The associated references are CVE-2026-60137 / GHSA-fpp7-x2x2-2mjf and CVE-2026-63030 / GHSA-ff9f-jf42-662q.

The official release confirms the vulnerabilities and their severity. It does not state in the announcement that exploitation has been observed in the wild, so site owners should not treat unverified exploitation claims as confirmed. The correct response is still to patch immediately because one issue can lead to remote code execution.

Safe WordPress 7.0.2 update checklist

1. Confirm the current version

In WordPress Admin, open Dashboard → Updates. If you manage the site with WP-CLI, run:

wp core version
wp core check-update

If an automatic update already ran, do not stop at the success email. Confirm the live version directly.

2. Create a restorable backup

Back up both the database and the WordPress files, including wp-content and wp-config.php. Confirm where the backup is stored and that you can access it. A backup that has never been tested should not be treated as a guaranteed restore point.

3. Update WordPress core

Use Dashboard → Updates → Update Now, your managed host’s update panel, or WP-CLI:

wp core update
wp core update-db

For multisite networks, review the network dashboard and run the database upgrade across the network if required by your normal deployment process.

4. Verify core file integrity

After the update, WP-CLI users can compare core files with the official checksums:

wp core verify-checksums

Investigate unexpected checksum failures. Do not delete files blindly on a production site; first determine whether they are legitimate customizations, stale core files or signs of compromise.

5. Run a focused smoke test

  • Homepage and several important landing pages return normally.
  • /wp-admin/ login works for an authorized administrator.
  • /wp-json/ responds as expected for your site.
  • Contact forms, search, checkout, membership and login flows work.
  • Cron jobs, queues, webhooks and third-party integrations continue running.
  • Page cache and object cache are purged if the host does not handle this automatically.

6. Review for suspicious changes

An update closes the vulnerable code path; it does not automatically investigate earlier activity. Review recent administrator-account changes, new plugins, modified files, unexpected scheduled tasks, web server logs, WAF alerts and database anomalies. If you find credible indicators of compromise, preserve evidence and use a proper incident-response process before rotating credentials or rebuilding the site.

What if the automatic update does not complete?

Check Dashboard → Updates, the site’s administrative email and your hosting panel. Common blockers include filesystem permissions, disabled background updates, insufficient disk space, version-control deployment rules and host-level update controls.

If you cannot patch immediately, contact the hosting provider and restrict risky access through your existing WAF or maintenance process. Temporary controls are not a substitute for installing the fixed WordPress version.

Should you test before updating?

For a routine feature release, staging-first testing is sensible. For this security release, the balance is different: take a backup, perform the focused compatibility checks your environment needs, and deploy without unnecessary delay. High-value ecommerce, membership and custom WordPress installations can use a fast staging smoke test, but should not leave production exposed for a prolonged testing cycle.

WordPress 7.0.2 FAQ

Is WordPress 7.0.2 a security update?

Yes. WordPress.org describes 7.0.2 as a security release fixing one critical and one high-severity issue.

Will WordPress 7.0.2 install automatically?

WordPress.org says forced updates were enabled through the automatic update system for affected sites, and supported sites will begin updating automatically. Administrators should verify the result because hosting and filesystem configurations can affect updates.

Is WordPress 6.9 affected?

Yes. The official announcement says WordPress 6.9 is affected by both vulnerabilities and provides version 6.9.5 as the security backport.

Is WordPress 6.8 affected?

WordPress 6.8 is affected by the first vulnerability. Version 6.8.6 contains the backported fix.

Is WordPress 7.1 Beta 1 safe to keep testing?

No. The official release says the WordPress 7.1 beta was affected by both issues. Update non-production test sites to WordPress 7.1 Beta 2.

Official sources

Last checked: July 18, 2026. This article avoids exploit instructions and focuses on defensive updating and verification.

Leave a Comment

muddaser logo

Public Speaker, Softskills trainer and technology enthusiast

Contact

Muddaser Altaf

Social Address