CVE-2026-60137
WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.
| Vendor | wordpress |
| Product | wordpress |
| Ecosystems | |
| Industries | WebMedia |
| Published | Jul 17, 2026 |
| Last Updated | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for wordpress wordpress
Be the first to know when new critical vulnerabilities affecting wordpress wordpress are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
WordPress / WordPress
6.8.0 < 6.8.6 6.9.0 < 6.9.5 7.0.0 < 7.0.2
References
Credits
TF1T dtro haongo WordPress Security Team