SQL Injection Vulnerability in WordPress Core Affecting Multiple Versions
CVE-2026-60137
9.1CRITICAL
What is CVE-2026-60137?
A vulnerability in WordPress allows for potential SQL Injection due to improper sanitization of the author__not_in parameter in WP_Query. When untrusted input is passed to this parameter via a plugin or theme, it could lead to unauthorized database queries. Affected versions include WordPress 6.8.x up to 6.8.6, 6.9.x up to 6.9.5, and 7.0.x up to 7.0.2. Website owners are advised to update their installations to mitigate risks associated with this security flaw.
Affected Version(s)
WordPress 6.8.0 < 6.8.6
WordPress 6.9.0 < 6.9.5
WordPress 7.0.0 < 7.0.2