WordPress 7.0.2 went out today with two important security updates. One is a type of pre-authorization RCE we (fortunately!) have only seen a few times in WordPress’ 23-year history; the last, I believe, in the PHPMailer class five years ago.

Major kudos to Adam Kues of Searchlight Cyber for finding the batch REST API RCE, to TF1T, dtro, and haongo on the facilitated SQL injection!

Thanks to responsible disclosure, the WordPress.org Security team was able to coordinate with hosts and CDNs to mitigate the attack at the network layer. Please upgrade anyway! But it’s a huge relief to know the vast majority of WordPress sites were protected by defense-in-depth even before the updates went out.

I really appreciate how people and organizations that otherwise might not be on the best of terms come together in times like this. (Full credits in the release post.) Everyone buries the hatchet to protect as many people as possible as quickly as possible.

I’ve said it before, I’ll say it again: security is going to be a big topic this year as the technology industry digests the incredible advances in AI models. It’s a good time to review your plans and processes, sweat the details, invest in maintenance, and hug a sysadmin. 🙂

Please consider helping!

Awake Freedom TV On Roku is Broken!  🙂

I could no longer maintain the costs on my own, so I moved the off of a dedicated server which was needed for the TV platform to work.  On top of that, I want to build an app Awake Freedom TV app, for mobile phones.  We need your help to first resurrect our TV channel, and then build the mobile app.   In order to do that, I need a minimum of 800/month on subscription payments.  Please help anyway you can with the form below.