CVE-2026-60137
EUVD-2026-4527917.07.2026, 20:17
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| wordpress | wordpress | 6.8.0 ≤ 𝑥 < 6.8.6 | CNA |
| wordpress | wordpress | 6.9.0 ≤ 𝑥 < 6.9.5 | CNA |
| wordpress | wordpress | 7.0.0 ≤ 𝑥 < 7.0.2 | CNA |