Vulnerability intelligence
CVE-2026-60137
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.
CVSS Score
9.1
Critical
EPSS — Exploit Probability
0.0%
Riskier than 0% of all CVEs
Exploitation
Not in CISA KEV
No federal exploitation record
Remediation
unknown
Check vendor advisories
1 article across 1 outlet · first covered Jul 18, 2026 · latest Jul 18, 2026
Tracked incidents
Coverage timeline
-
WordPress SQLi bug allows remote code execution, update nowsecurityonline.info · Jul 18, 2026