6 matches found
CVE-2026-60137 WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the authornotin parameter of WPQuery, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter...
CVE-2026-60137
CVE-2026-60137 affects WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2. The issue is a failure to sanitize the author__not_in parameter in WP_Query, enabling potential SQL Injection when untrusted input is passed by a plugin or theme. Mitigation is to update to 6.8.6, 6.9...
CVE-2026-60137 WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the authornotin parameter of WPQuery, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter...
CVE-2026-63030 WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the authornotin WPQuery SQL Injection CVE-2026-60137, could allow an attacker to perform SQL Injection and achieve Remote Code Execution...
EUVD-2026-45279
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the authornotin parameter of WPQuery, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter...
EUVD-2026-45280
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the authornotin WPQuery SQL Injection CVE-2026-60137, could allow an attacker to perform SQL Injection and achieve Remote Code Execution...