External risk intelligence

WordPress SQL Injection via WP_Query Author Not In Parameter

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-60137

The vulnerability affects WordPress, which is commonly deployed as an internet-facing web application. Since the issue involves parameters reachable through themes or plugins on a public-facing site, the attack surface is typically exposed to the internet in common deployment patterns.

SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in WordPress could allow attackers to inject malicious code into your systems through the `author__not_in` parameter, impacting any active WordPress sites. This SQL injection flaw can be triggered by themes or plugins that don't properly handle untrusted input, potentially leading to unauthorized access and data manipulation.

  • Malicious code injection in WordPress sites.
  • Widely used software with external exposure.
  • Confirm relevance and exposure to business operations.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending a specially crafted request to a WordPress site. If a theme or plugin incorrectly handles user input and passes it to the `author__not_in` parameter within a WP_Query, it could allow an attacker to inject malicious SQL code. This could potentially lead to unauthorized access and modification of sensitive data on the website.

  • No authentication required.
  • Vulnerable `author__not_in` parameter.
  • SQL injection leading to data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact WordPress sites when plugins or themes use untrusted input with the `author__not_in` parameter. This may lead to SQL injection, potentially affecting the integrity and confidentiality of the database.

  • Database integrity and confidentiality at risk.
  • Untrusted input to `author__not_in` parameter.
  • Database corruption or unauthorized data access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical SQL injection vulnerability in WordPress affects sites utilizing themes or plugins that pass untrusted input to the `WP_Query` author parameter. Initial actions should focus on identifying all instances of the affected WordPress versions across your infrastructure, determining their reachability from the internet, and confirming their business criticality. Subsequently, the accountable application owner or platform team must be engaged to prioritize and schedule remediation, coordinating with any relevant vendor-management teams if third-party solutions are involved.

  • Application owners or platform teams should own.
  • Verify external reachability and business criticality first.
  • Plan remediation based on confirmed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is WordPress and how is it used?

WordPress is a widely deployed content management system used to build and maintain websites. It relies on a core engine to manage content, often extended by third-party plugins and themes that add specialized functionality. Because it powers everything from simple blogs to complex enterprise portals, its underlying code—specifically its query-handling mechanisms—is central to site operations and database interactions.

How does CVE-2026-60137 cause an SQL injection?

This vulnerability is classified as Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It occurs because the software fails to sanitize input passed to the 'author__not_in' parameter within its query-building logic. When this happens, an attacker can manipulate the query structure, potentially allowing them to bypass intended restrictions and interact directly with the site's database to access or alter unauthorized information.

Do I need to worry if my plugins do not use the author parameter?

Not necessarily. The vulnerability is not triggered by the core WordPress software in isolation. It specifically requires a theme or plugin to take untrusted user input and pass it into the vulnerable 'author__not_in' parameter of the WP_Query function. If your active themes and plugins do not utilize this specific parameter for processing user-supplied data, the trigger path for this SQL injection flaw is likely absent.

Why is this CVE considered relevant for internet-facing sites?

Halo Surface Signal flags this as a priority because WordPress instances are commonly deployed as public-facing web applications. Since the attack vector is network-based and the vulnerable parameter can be reached through external requests if handled improperly by add-ons, sites exposed to the internet are more accessible to potential interference compared to those kept on internal, restricted networks.

How do I respond if I am running an affected WordPress version?

Start by identifying all WordPress installations in your environment and verifying if they are running the impacted versions. Once identified, evaluate whether the site is accessible from the internet. Coordinate with your application or platform owners to review the code of active themes and plugins for the use of the affected parameter, then prioritize updating the core software to a patched release to close the vulnerability.

References