๐Ÿ” CVE Alert

CVE-2026-60137

CRITICAL 9.1

WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.

Vendor wordpress
Product wordpress
Ecosystems
Industries
WebMedia
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for wordpress wordpress

Be the first to know when new critical vulnerabilities affecting wordpress wordpress are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

WordPress / WordPress
6.8.0 < 6.8.6 6.9.0 < 6.9.5 7.0.0 < 7.0.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fpp7-x2x2-2mjf wordpress.org: https://wordpress.org/news/2026/07/wordpress-7-0-2-release/

Credits

TF1T dtro haongo WordPress Security Team