The vulnerability reportedly allows an unauthenticated attacker to execute code via the WordPress REST API batch endpoint, potentially resulting in complete compromise of the website and its underlying data. No valid account or user interaction is required.

According to the advisory, the vulnerability affects WordPress versions 6.9.0 through 6.9.4 and versions 7.0.0 through 7.0.1. The issue is fixed in WordPress 6.9.5 and 7.0.2. A fix is also included in WordPress 7.1 Beta 2.

WordPress maintainers stated they are forcing updates for affected installations with automatic updates enabled. Administrators should nevertheless verify that each internet-facing WordPress website has successfully upgraded to WordPress 6.9.5, 7.0.2, or another fixed release appropriate for its branch. Workarounds are not recommended at this time.

  • Great, I’m going to have a busy Monday morning.

    This is why I love the clients that agreed to run static sites.

    • 11 hours

      I know Cloudflare can be a contentious topic here, but they rolled out a ruleset to their WAF for this to pseudo “patch” the vuln chain, until you can upgrade WP. So, if your clients use the Pro plan or above, they should be safe in the interim.