BAC SEP 2023: Broken Access Control SEP 2023
Tailored WordPress Security Report
Be informed about the latest Broken Access Control SEP 2023, identified and reported publicly. BAC SEP 2023 is a +14% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for tailored WP Security. The following cases made headlines PUBLICLY just last month in the Broken Access Control SEP 2023 category:
WHO needs tailored WP security? EVERYBODY!
Today’s reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate “gazillion” different threats in your WordPress. Get your BAC SEP 2023: Broken Access Control SEP 2023 Patch Management.
| Accordion and Accordion Slider | Broken Access Control (BAC) |
| Accordion Slider | Broken Access Control (BAC) |
| AffiliateWP | Missing Authorization (BAC) to Arbitrary Plugin Activation |
| Album and Image Gallery plus Lightbox | Broken Access Control (BAC) |
| ARMember Premium | Broken Access Control (BAC) |
| Backup Migration | Missing Authorization (BAC) on handle_installation function |
| Biometric Login for WooCommerce | UnauthenticatedPrivilege Escalation (BAC) |
| Blog Designer – Post and Widget | Broken Access Control (BAC) |
| Cartpauj Register Captcha | Captcha Bypass (BAC) |
| Category Slider for WooCommerce | Broken Access Control (BAC) |
| Charitable | UnauthenticatedPrivilege Escalation (BAC) |
| Clone | Missing Authorization (BAC) on handle_installation function |
| Cost Calculator Builder | Broken Access Control (BAC) |
| Countdown Timer Ultimate | Broken Access Control (BAC) |
| Duplicate Post | Missing Authorization (BAC) on handle_installation function |
| Elements kit Elementor addons | Broken Access Control (BAC) |
| Enhanced Text Widget | Missing Authorization (BAC) on handle_installation function |
| Folders | Arbitrary File Upload (BAC) |
| Forminator | Unauthenticated Arbitrary File Upload (BAC) |
| Fusion Builder | Broken Access Control (BAC) |
| Gutenberg Blocks by Kadence Blocks | Unauthenticated Arbitrary File Upload (BAC) |
| Hide My WP Ghost | Captcha Bypass (BAC) |
| Highcompress Image Compressor | Broken Access Control (BAC) |
| InfiniteWP Client | Sensitive Information Exposure (BAC) |
| iThemes Sync | Broken Access Control (BAC) |
| JS Help Desk – Best Help Desk & Support Plugin | Arbitrary File Upload (BAC) |
| Justified Gallery | Broken Access Control (BAC) |
| LuckyWP Scripts Control | Broken Access Control (BAC) |
| MailChimp Forms by MailMunch | Broken Access Control (BAC) |
| Master Addons for Elementor | Broken Access Control (BAC) |
| Media from FTP | Arbitrary File Access (BAC) |
| Meta slider and carousel with lightbox | Broken Access Control (BAC) |
| Olive One Click Demo Import | Arbitrary File Upload (BAC) |
| Orders Tracking for WooCommerce | Arbitrary File Access (BAC)/Read |
| Paid Memberships Pro | Broken Access Control (BAC) |
| Paid Memberships Pro CCBill Gateway | Unauthenticated Broken Access Control (BAC) |
| Password Reset with Code for WordPress REST API | Privilege Escalation (BAC) Due To Weak Pin Generation |
| Popup by Supsystic | Broken Access Control (BAC) |
| Pop-up | Missing Authorization (BAC) on handle_installation function |
| Portfolio and Projects | Broken Access Control (BAC) |
| Post grid and filter ultimate | Broken Access Control (BAC) |
| Post Ticker Ultimate | Broken Access Control (BAC) |
| Premium Packages | Arbitrary User Meta Update to Privilege Escalation (BAC) |
| Premmerce User Roles | Broken Access Control (BAC) |
| Pricing Deals for WooCommerce | Broken Access Control (BAC) |
| Products Quick View for WooCommerce | Missing Authorization (BAC) |
| Profile Builder | Missing Authorization (BAC) to Initial Page Creation |
| Push Notification for Post and BuddyPress | Missing Authorization (BAC) to Unauthenticated Admin Notice Dismissal |
| Putler Connector for WooCommerce | Broken Access Control (BAC) |
| Putler Connector for WooCommerce | Unauthenticated Broken Access Control (BAC) |
| Real Estate Manager | Arbitrary Usermeta Update to Privilege Escalation (BAC) |
| Redirect Redirection | Missing Authorization (BAC) on handle_installation function |
| ReviewX | Broken Access Control (BAC) |
| RSS Redirect & Feedburner Alternative | Missing Authorization (BAC) on handle_installation function |
| SendPress Newsletters | Broken Access Control (BAC) |
| Shop as a Customer for WooCommerce | Privilege Escalation (BAC) |
| Simple Blog Card | Sensitive Information Exposure (BAC) |
| Simple Org Chart | Broken Access Control (BAC) |
| Simple URLs | Broken Access Control (BAC) |
| Slimstat Analytics | Broken Access Control (BAC) |
| Social Media & Share Icons | Missing Authorization (BAC) on handle_installation function |
| Social Share Icons & Social Share Buttons | Missing Authorization (BAC) on handle_installation function |
| SSL Mixed Content Fix | Missing Authorization (BAC) on handle_installation function |
| Sticky Social Media Icons | Broken Access Control (BAC) |
| Stripe Payment Gateway for WooCommerce | Missing Authorization (BAC) to Arbitrary Order Status Modification |
| Team Slider and Team Grid Showcase plus Team Carousel | Broken Access Control (BAC) |
| Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget | Broken Access Control (BAC) |
| Timeline and History slider | Broken Access Control (BAC) |
| Trending/Popular Post Slider and Widget | Broken Access Control (BAC) |
| Ultimate Posts Widget | Missing Authorization (BAC) on handle_installation function |
| Video gallery and Player | Broken Access Control (BAC) |
| WooCommerce PDF Invoice Builder | Missing Authorization (BAC) toSensitive Information Exposure (BAC) |
| WordPress Job Board and Recruitment Plugin – JobWP | Arbitrary File Upload (BAC) |
| WP-PostRatings | Rating limit Bypass (BAC) |
| WP Project Manager | Arbitrary Usermeta Update to Privilege Escalation (BAC) |
| WP Remote Users Sync | Missing Authorization (BAC) to Log View |
| WP Ultimate CSV Importer | Arbitrary Usermeta Update to Privilege Escalation (BAC) |
| WP Ultimate CSV Importer | PHP File Upload (BAC) toRemote Code Execution (RCE) |
| WP Ultimate CSV Importer | Sensitive Information Exposure (BAC) via Directory Listing |
| WP users media | Broken Access Control (BAC) |
| YITH WooCommerce Waiting List | Broken Access Control (BAC) |
| WordPress Broken Access Control reported in 2023 so far | 529 |
WHO needs tailored WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order BAC SEP 2023: Broken Access Control SEP 2023 Patch Management.
BRIEF: Broken Access Control SEP 2023 are critical security vulnerabilities in which attackers can perform any action (access, modify, delete) outside of WordPress or WooCommerce intended default user permissions (subscriber, customer, etc).
What is Broken Access Control?
A security threat, where intruders are able to gain access to unauthorized data. Broken access control is a failure on the OWN security to carry out and maintain pre-established user access policies. Bypassing intended permissions, intruders become able to reach sensitive information, modify and outright delete or download data, or perform business functions that you wouldn’t want them to perform. Like ordering a single product, paying and after confirmation tampering the saved cart ordered item numbers.
Broken access control vulnerabilities can have far-reaching consequences. Privileged data could be exposed, malware could be loaded to further attacks and destruction. Beyond the initial breach, companies face litigation, damage control, loss of market share and reputation, repair of compromised systems, and delays in deploying live improvements. With exploits and attacks more prevalent than ever, ensuring your system’s security is more important than ever.
What is Insecure Direct Object Reference (IDOR)?
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. It leads to access controls being circumvented. IDOR vulnerabilities are most commonly associated with reaching resources from database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
What is Missing Authorization?
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including sensitive and private information exposures, remote or arbitrary code execution.
What is Directory or Path Traversal?
Directory traversal (or file path traversal) is a security vulnerability that allows an attacker to read specific files on the server that is running inside your WordPress or WooCommerce. This might include plugin or theme code and data, credentials for back-end systems, 3rd party integrations, hosting environment details, or sensitive operating system files. In some cases, an attacker might be able to write into these files on the server, allowing them to modify application data or behaviour, and ultimately taking full control of the infrastructure.
Security is not a single-task job
Need tailored WP Security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.
