This SQL injection vulnerability is the second half of a critical exploit chain alongside CVE-2026-63030. On its own, CVE-2026-60137 requires a plugin or theme to pass untrusted input — but when combined with CVE-2026-63030's authentication bypass, it becomes exploitable on stock WordPress with no plugins installed.
WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1 are affected. Update to WordPress 6.9.5 or 7.0.2 immediately. Both CVEs were patched in the same security release.
WordPress Core contains an SQL injection vulnerability in WP_Query where a query parameter is inserted directly into SQL without sanitisation when provided as a string value.
