CVE-2026-60137 is a SQL injection vulnerability in WordPress core affecting WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2. The flaw is caused by improper sanitization of the author__not_in parameter in WP_Query, with reporting also describing insufficient escaping of that parameter and insufficient preparation of the resulting SQL query. When a plugin or theme passes untrusted input into author__not_in, attacker-controlled data can alter the generated database query and produce SQL injection. The issue is reachable over the network and does not require authentication in scenarios where the vulnerable parameter is exposed to attacker input through application functionality. The vulnerability has also been described as a foundational issue in a separate pre-authentication exploit chain, but this CVE itself is the underlying SQL injection flaw in WP_Query.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A high-severity SQL injection vulnerability in WordPress Core that is discussed alongside the wp2shell RCE chain and affects certain WordPress versions, including the 6.8 branch.
A critical blind SQL injection vulnerability in WordPress WP_Query, reachable pre-auth via the REST batch endpoint confusion chain, and used as the foundation for the broader RCE chain described in the article.
A high-severity SQL injection vulnerability in WordPress core via the author__not_in parameter due to insufficient escaping and query preparation, which can be chained with CVE-2026-63030 to enable unauthenticated remote code execution.
A high-severity SQL injection vulnerability in WordPress affecting version 6.8 and later that allows crafted input to alter a database query.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.