CVE-2026-60137

Published Jul 17, 2026

Last updated 18 hours ago

CVSS medium 5.9
WordPress
wp2shell

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-60137 is a SQL injection vulnerability found in WordPress versions 6.8 and later. This flaw arises from the improper sanitization of the `author__not_in` parameter within `WP_Query` when untrusted data is passed to it by a plugin or theme. This vulnerability allows crafted input to alter a database query, potentially leading to unauthorized access or manipulation of data. Patches have been released for affected versions, specifically in WordPress 6.8.6, 6.9.5, and 7.0.2, as well as 7.1 beta2.

Description
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.
Source
contact@wpscan.com
NVD status
Received

Insights

Analysis from the Intruder Security Team
Published Jul 17, 2026

This SQL injection vulnerability is the second half of a critical exploit chain alongside CVE-2026-63030. On its own, CVE-2026-60137 requires a plugin or theme to pass untrusted input — but when combined with CVE-2026-63030's authentication bypass, it becomes exploitable on stock WordPress with no plugins installed.

WordPress 6.9.0–6.9.4 and 7.0.0–7.0.1 are affected. Update to WordPress 6.9.5 or 7.0.2 immediately. Both CVEs were patched in the same security release.

WordPress Core contains an SQL injection vulnerability in WP_Query where a query parameter is inserted directly into SQL without sanitisation when provided as a string value.

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.9
Impact score
3.6
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-89

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

35

  1. wp2shell: Pre-auth RCE in WordPress Core An anonymous attacker can chain a REST API batch route confusion (CVE-2026-63030) with a WP_Query SQLi (CVE-2026-60137) to achieve remote code execution. Want to understand how the attack chain works and how to protect your WordPress site?

    @WordSec

    18 Jul 2026

    61 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. WordPress 7․0․2 released July 17, 2026, patches critical SQL injection flaws CVE-2026-60137 and CVE-2026-63030, affecting multiple versions. https://t.co/OGRajrObOp

    @f1tym1

    18 Jul 2026

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE: CVE-2026-63030 (wp2shell) Companion CVE: CVE-2026-60137 Type: Pre-Auth Blind SQL Injection Affected: WordPress 6.9.0–6.9.4, 7.0.0–7.0.1 Fixed: 6.9.5, 7.0.2+ https://t.co/du8398MSvj https://t.co/nDy3Ino053

    @cyber_advising

    18 Jul 2026

    1619 Impressions

    4 Retweets

    14 Likes

    12 Bookmarks

    1 Reply

    0 Quotes

  4. ‼ #WordPress: Disponibile Proof of Concept (PoC) per le vulnerabilità identificate dalle CVE-2026-60137 e CVE-2026-63030, già sanate dal vendor. Rischio: 🔴 Tipologia: 🔸 Remote Code Execution 🔗https://t.co/ghA7awqqDL ⚠ Importante mantenere aggiornati i sistemi h

    @csirt_it

    18 Jul 2026

    247 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. #wp2shell + CVE-2026-63030 breaks REST batch routing + CVE-2026-60137 injects SQL ---- + https://t.co/HcBushOAsr + https://t.co/QfHvBnALgw + https://t.co/Qz6DI2i7Uw + https://t.co/5bAREpXJpu

    @hahwul

    18 Jul 2026

    390 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    1 Reply

    0 Quotes

  6. 🚨 WordPress'te kimlik doğrulaması gerektirmeyen kritik seviye bir RCE zafiyeti (CVE-2026-63030) tespit edildi. Zafiyet, arka planda CVE-2026-60137 ile bağlantılı olarak çalışıyor. ⚙️ Sistemde kalıcı bir object cache kullanılmadığı durumlarda, doğrudan REST

    @pamircil

    18 Jul 2026

    212 Impressions

    0 Retweets

    8 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  7. What happens if you ask Kimi K3 to develop exploits for > CVE-2026-63030 breaks REST batch routing > CVE-2026-60137 injects SQL Anyone?

    @RichardGarwe

    18 Jul 2026

    83 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 CRITICAL - WordPress Core Unauthenticated Remote Code Execution (CVE-2026-63030 / CVE-2026-60137) WordPress core is vulnerable to a critical zero-precondition RCE exploit chain dubbed "wp2shell". The root cause combines a REST API batch-route confusion (CVE-2026-63030) with

    @UpwindMDR

    18 Jul 2026

    183 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. #WordPress #Seguridad Si usas WordPress 6.9, 6.9 o 7.0, actualiza a las últimas versiones disponibles. Hay unos parches de seguridad que corrigen 2 elementos críticos (RCE / SQLi). - CVE-2026-60137: corrigen: 6.8.6 - 6.9.5 - 7.0.2 - CVE-2026-63030: corrigen: 6.9.5 - 7.0.2

    @JavierCasares

    18 Jul 2026

    151 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Pokud jste ještě nektualizovali WordPress tak zbystřee, jsou tam dvě závažné chyby přímo v jádře. CVE-2026-60137: SQL injection a CVE-2026-63030: Unauthenticated remote code execution. https://t.co/yVk4KDcD6n

    @365tipu

    18 Jul 2026

    207 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Non-destructive detector + Docker lab for wp2shell (CVE-2026-63030 REST /batch/v1 route confusion + CVE-2026-60137 author__not_in SQLi) in WordPress core 6.9.0-6.9.4 / 7.0.0-7.0.1 https://t.co/eB9AVpUfSD

    @SajjadSiam01

    18 Jul 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Wp2Shell Critical pre authentication remote code execution (RCE) in WordPress Core (CVE-2026-63030 and CVE-2026-60137). It allows anonymous attackers to execute arbitrary code on a default WordPress installation without requiring user login or plugins. https://t.co/ujtN7Jwn1j

    @7h3h4ckv157

    18 Jul 2026

    2065 Impressions

    4 Retweets

    19 Likes

    10 Bookmarks

    0 Replies

    0 Quotes

  13. Wp2Shell Critical pre-authentication remote code execution (RCE) vulnerability in WordPress Core (CVE-2026-63030 and CVE-2026-60137). It allows anonymous attackers to execute arbitrary code on a default WordPress installation without requiring user login or plugins.

    @7h3h4ckv157

    18 Jul 2026

    525 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Non-destructive detector + Docker lab for wp2shell (CVE-2026-63030 REST /batch/v1 route confusion + CVE-2026-60137 author__not_in SQLi) in WordPress core 6.9.0-6.9.4 / 7.0.0-7.0.1 https://t.co/uGxtDZtA7j

    @Dinosn

    18 Jul 2026

    6950 Impressions

    14 Retweets

    82 Likes

    51 Bookmarks

    4 Replies

    0 Quotes

  15. It's Friday, so of course we can't have nice things! Initial technical analysis of #wp2shell CVE-2026-63030 and CVE-2026-60137 from the @VulnCheckAI research team — so far, it could be worse (but it's still not great): https://t.co/dLROB0N2ZD

    @catc0n

    18 Jul 2026

    1061 Impressions

    4 Retweets

    15 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  16. RCE in WordPress CVE-2026-63030/CVE-2026-60137 https://t.co/ZKepZbNKbr Credit: @wordpressdotcom https://t.co/ngNGhcKzFh

    @CoyEmerald1

    17 Jul 2026

    305 Impressions

    2 Retweets

    9 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  17. CVE-2026-63030 (RCE, Critical) and CVE-2026-60137 (SQLi, High) hit WordPress 6.8+; Cloudflare WAF rules went live at 17:03 UTC July 17, blocking exploitation for all proxied customers > Cloudflare deployed WAF rules for two WordPress vulnerabilities disclosed July 17: an

    @0J0BIT

    17 Jul 2026

    144 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨Searchlight Cyber's research team has found a pre-authentication RCE in WordPress Core. affected versions: 6.9.0–6.9.4, 7.0.0–7.0.1 No preconditions, exploitable by an anonymous user on a stock install with no plugins. CVE-2026-63030/CVE-2026-60137 https://t.co/LKa1

    @ITSecurityguard

    17 Jul 2026

    39594 Impressions

    84 Retweets

    290 Likes

    172 Bookmarks

    10 Replies

    12 Quotes