Cloudflare's Web Application Firewall (WAF) has been updated to protect WordPress applications from two critical vulnerabilities: an Unauthenticated Remote Code Execution (RCE) and a related SQL Injection vulnerability. The WAF protections have been deployed to all customers, including those on free and paid plans, to reduce exposure until customers can update their WordPress sites. WordPress has released fixes for the vulnerabilities in version 7.0.2 and has forced automatic updates for affected sites.