CVE-2026-60137
Received Received - Intake

WordPress SQL Injection via WP_Query Author Parameter

Vulnerability report for CVE-2026-60137, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: WPScan

Description

WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
wordpress wordpress to 6.8.6 (exc)
wordpress wordpress to 6.9.5 (exc)
wordpress wordpress to 7.0.2 (exc)
wordpress wordpress From 6.8.0 (inc) to 6.8.6 (exc)
wordpress wordpress From 6.9.0 (inc) to 6.9.5 (exc)
wordpress wordpress From 7.0.0 (inc) to 7.0.2 (exc)
wordpress wordpress 7.1_beta2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is an SQL injection vulnerability in WordPress versions 6.8.0 through 6.8.5, 6.9.0 through 6.9.4, and 7.0.0 through 7.0.1. It occurs when untrusted input is passed to the author__not_in parameter of the WP_Query function, allowing attackers to manipulate SQL queries.

Detection Guidance

To detect this vulnerability, check your WordPress version against the affected ranges (6.8.0-6.8.5, 6.9.0-6.9.4, 7.0.0-7.0.1). Use commands like 'wp core version' in WordPress CLI or check the version in the admin dashboard. Inspect plugins or themes that use the author__not_in parameter in WP_Query for untrusted input handling.

Impact Analysis

An attacker could exploit this to extract sensitive data from the database, modify or delete data, or in some cases combine it with other vulnerabilities to execute remote code. The impact includes potential data breaches, unauthorized access, and system compromise.

Compliance Impact

This vulnerability could lead to unauthorized access or exposure of personal data, violating GDPR and HIPAA requirements for data protection and security. Organizations may face legal penalties, fines, or reputational damage if exploited.

Mitigation Strategies

Immediately update WordPress to a patched version (6.8.6, 6.9.5, 7.0.2, or 7.1 beta2). Remove or disable any plugins or themes that pass untrusted input to the author__not_in parameter. Monitor for suspicious database queries or unauthorized access attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60137. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart