Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4025 articles · 176782 vulns · 36/41 feeds (7d)
← Back to list
9.1
CVE-2026-60137PATCHED
wordpress · wordpress

WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query

Description

WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.

Affected Products

VendorProductVersions
wordpresswordpress6.8.0, 6.9.0, 7.0.0

References

  • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fpp7-x2x2-2mjf(vdb-entry, technical-description)
  • https://wordpress.org/news/2026/07/wordpress-7-0-2-release/(release-notes, vendor-advisory)

Related News (1 articles)

Tier C
VulDB6h ago
CVE-2026-60137 | WordPress up to 6.8.5/6.9.4/7.0.1 WP_Query sql injection
→ No new info (linked only)
CVSS 3.19.1 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited❌ No
Patch available
6.8.66.9.57.0.2
PublishedJul 17, 2026
Last enriched6h agov2
Tags
cvss:criticalremote-attack
Trending Score44
Source articles1
Independent1
Info Completeness8/14
Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-63030EXPKEV
WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
Trending: 124
HIGHCVE-2026-9700EXP
Eventer <= 4.4.2 - Unauthenticated SQL Injection via 'code' Parameter
Trending: 13
MEDIUMCVE-2026-12097EXP
User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification
Trending: 12
CRITICALCVE-2026-6382EXP
Multiple elFinder Plugins - Authenticated OS Command Injection
Trending: 9
HIGHCVE-2026-8441EXP
WP Review Slider Pro <= 12.7.2 - Unauthenticated SQL Injection via 'notinstring' Parameter
Trending: 6

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 17, 2026
Discovered by ZDM
Jul 17, 2026
Updated: severity, cvssEstimate, affectedVersions, tags
Jul 17, 2026
Patch Available
Jul 17, 2026

Version History

v2
Last enriched 6h ago
v2Tier C6h ago

Updated severity to CRITICAL, added CVE ID (CVE-2026-60137), refined affected versions to include all point releases up to 6.8.5/6.9.4/7.0.1, and estimated CVSS at 9.0 for critical remote SQL injection vulnerability.

severitycvssEstimateaffectedVersionstags
via VulDB
v16h ago

Initial creation