Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
wordpress wordpress 2.6.3 vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2022-0827
The Bestbooks WordPress plugin up to and including 2.6.3 does not sanitise and escape some parameters before using them in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
Presspage Bestbooks
8.8
CVSSv3
CVE-2024-0428
The Index Now plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.3. This is due to missing or incorrect nonce validation on the 'reset_form' function. This makes it possible for unauthenticated malicious users to d...
Kobzarev Index Now
7.5
CVSSv3
CVE-2022-3846
The Workreap WordPress theme prior to 2.6.3 has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.
Amentotech Workreap
7.5
CVSSv3
CVE-2021-24655
The WP User Manager WordPress plugin prior to 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access t...
Wpusermanager Wp User Manager
7.5
CVSSv3
CVE-2017-11658
In the WP Rocket plugin 2.9.3 for WordPress, the Local File Inclusion mitigation technique is to trim traversal characters (..) -- however, this is insufficient to stop remote attacks and can be bypassed by using 0x00 bytes, as demonstrated by a .%00.../.%00.../ attack.
Wp-rocket Wp-rocket 2.9.11
Wp-rocket Wp-rocket 2.9.10
Wp-rocket Wp-rocket 2.9.9
Wp-rocket Wp-rocket 2.9.8.1
Wp-rocket Wp-rocket 2.8.18
Wp-rocket Wp-rocket 2.8.17
Wp-rocket Wp-rocket 2.8.16
Wp-rocket Wp-rocket 2.8.15
Wp-rocket Wp-rocket 2.8.1
Wp-rocket Wp-rocket 2.8.0
Wp-rocket Wp-rocket 2.7.4
Wp-rocket Wp-rocket 2.7.3
Wp-rocket Wp-rocket 2.6.7
Wp-rocket Wp-rocket 2.6.6
Wp-rocket Wp-rocket 2.6.5
Wp-rocket Wp-rocket 2.6.4
Wp-rocket Wp-rocket 2.5.3
Wp-rocket Wp-rocket 2.5.2
Wp-rocket Wp-rocket 2.5.1
Wp-rocket Wp-rocket 2.5.0
Wp-rocket Wp-rocket 2.3.1
Wp-rocket Wp-rocket 2.3.0
6.1
CVSSv3
CVE-2019-18834
Persistent XSS in the WooCommerce Subscriptions plugin prior to 2.6.3 for WordPress allows remote malicious users to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php.
Woocommerce Subscriptions
6.1
CVSSv3
CVE-2019-6780
The Wise Chat plugin prior to 2.7 for WordPress mishandles external links because rendering/filters/post/WiseChatLinksPostFilter.php omits noopener and noreferrer.
Kaine Wise Chat
1 EDB exploit
4.8
CVSSv3
CVE-2021-24972
The Pixel Cat WordPress plugin prior to 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Fatcatapps Pixel Cat
4.8
CVSSv3
CVE-2021-24516
The PlanSo Forms WordPress plugin up to and including 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Sto...
Planso Planso Forms
NA
CVE-2024-2949
The Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the carousel widget in all versions up...
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-17519
open redirect
CVE-2024-21683
cache poisoning
CVE-2021-47524
CVE-2021-47521
CVE-2024-5229
CVE-2021-47560
local
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »