CVE-2026-60137 in WordPress
Summary
by MITRE • 07/17/2026
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability exists within the WordPress core query system where the author__not_in parameter in WP_Query class fails to properly sanitise user input before incorporating it into database queries. The flaw represents a classic sql injection vector that can be exploited when third-party plugins or themes pass untrusted data directly to this parameter without adequate validation or escaping. The vulnerability affects multiple WordPress versions including 6.8.x prior to 6.8.6, 6.9.x prior to 6.9.5, and 7.0.x prior to 7.0.2, indicating a widespread issue across the WordPress codebase that has persisted through several major releases.
The technical implementation of this vulnerability stems from insufficient input validation within WordPress's query processing mechanism. When plugins or themes utilize the author__not_in parameter in WP_Query objects, they typically pass user-supplied data directly to the database layer without proper sanitisation. This creates an opportunity for malicious actors to inject arbitrary sql commands that can manipulate database queries and potentially extract sensitive information from the underlying wordpress database. The vulnerability aligns with common weakness enumeration CWE-89 which specifically addresses sql injection flaws in software applications.
The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could enable attackers to escalate privileges within the wordpress environment or even achieve remote code execution depending on the database configuration and available permissions. Attackers could leverage this vulnerability to bypass authentication mechanisms, modify content, delete database records, or access sensitive information such as user credentials, site configurations, and other stored data. The risk is particularly elevated in environments where plugins or themes process user input without proper sanitisation before passing it to WP_Query functions.
Mitigation strategies should focus on immediate patching of affected wordpress installations to the latest versions where this vulnerability has been addressed. System administrators must also implement proper input validation practices within custom plugins and themes, ensuring that all user-supplied data passed to WP_Query parameters undergoes appropriate sanitisation before database interaction. Security monitoring should be enhanced to detect unusual query patterns that might indicate sql injection attempts. Additionally, implementing web application firewalls and database activity monitoring can provide additional layers of protection against exploitation attempts. This vulnerability demonstrates the critical importance of input validation in content management systems and reinforces the need for regular security updates and comprehensive code review practices within wordpress plugin and theme development communities. The issue highlights how seemingly minor parameter handling flaws can create significant security risks when combined with third-party software components that may not follow proper security practices.