Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 17 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wordpress
Wordpress wordpress |
|
| Vendors & Products |
Wordpress
Wordpress wordpress |
Fri, 17 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-89 | |
| Metrics |
cvssV3_1
|
Fri, 17 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter. | |
| Title | WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query | |
| References |
|
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-17T19:52:26.119Z
Reserved: 2026-07-17T17:17:24.479Z
Link: CVE-2026-60137
Updated: 2026-07-17T19:52:17.964Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T20:30:03Z