Broken Access Control APR 2023 Vulnerabilities
Tailored WordPress Security Report
Be informed about the latest Broken Access Control APR 2023, identified and reported publicly. It is a +136% INCREASE compared to previous month, as specifically targeted Broken Access Control. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for tailored WP Security. The following cases made headlines PUBLICLY just last month in the Broken Access Control APR 2023 category:
Hire security geeks to protect your WP/Woo from publicly reported cases of Broken Access Control APR 2023 BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
| Advance WordPress Search Plugin | Broken Access Control (BAC) |
| Advanced Local Pickup for WooCommerce | Broken Access Control (BAC) |
| Advanced Product Labels for WooCommerce | Broken Access Control (BAC) |
| Auto Featured Image (Auto Post Thumbnail) | Arbitrary File Upload (BAC) |
| Backup Bank: WordPress Backup Plugin | Broken Access Control (BAC) |
| Branded Social Images | Broken Access Control (BAC) |
| Brands for WooCommerce | Broken Access Control (BAC) |
| Cart Notices for WooCommerce | Broken Access Control (BAC) |
| Chankhe Theme | Authenticated Arbitrary Plugin Activation (BAC) |
| Clone | Broken Access Control (BAC) |
| Coming Soon Landing Page and Maintenance Mode WordPress Plugin | Broken Access Control (BAC) |
| Contact Form Email | Missing Authorization (BAC) Leading To Feedback Submission |
| CP Contact Form with Paypal | Missing Authorization (BAC) Leading To Feedback Submission |
| CP Multi View Event Calendar | Missing Authorization (BAC) Leading To Feedback Submission |
| Data Tables Generator by Supsystic | Broken Access Control (BAC) |
| directory-pro | Privilege Escalation (BAC) |
| doctor-listing | Privilege Escalation (BAC) |
| Dynamics 365 Integration | Broken Access Control (BAC) |
| Easy Media Replace | Arbitrary File Deletion (BAC) |
| Easy Table of Contents | Broken Access Control (BAC) |
| Elementor Pro | Authenticated Arbitrary Options Change (BAC) |
| eRoom – Zoom Meetings & Webinar | Broken Access Control (BAC) |
| Event Espresso 4 Decaf | Bypass (BAC) |
| Ever Compare | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| Filebird | Broken Access Control (BAC) |
| final-user-wp-frontend-user-profiles | Privilege Escalation (BAC) |
| fitness-trainer | Privilege Escalation (BAC) |
| Free WooCommerce Theme 99fy Extension | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| Gallery Blocks with Lightbox | Missing Authorization (BAC) in pgc_sgb_add_dashboard_widget |
| GiveWP | Arbitrary Content Deletion (BAC) |
| Grid List View for WooCommerce | Broken Access Control (BAC) |
| Hotel Listing | Privilege Escalation (BAC) |
| HT Conctact Form 7 | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| HT Event | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| HT Politic | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| HT Portfolio | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| HT Slider For Elementor | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| If Menu | Broken Access Control (BAC) |
| institutions-directory | Privilege Escalation (BAC) |
| JS Job Manager | Broken Access Control (BAC) |
| lawyer-directory | Privilege Escalation (BAC) |
| Load More Products for WooCommerce | Broken Access Control (BAC) |
| Metform Elementor Contact Form Builder | Google reCAPTCHA Protection Bypass (BAC) |
| Min and Max Quantity for WooCommerce | Broken Access Control (BAC) |
| OAuth Server | Arbitrary Client Deletion (BAC) |
| OoohBoi Steroids for Elementor | Attachment Deletion (BAC) |
| OptinMonster | Arbitrary Post Content Disclosure (BAC) |
| Owl Carousel | Broken Access Control (BAC) |
| Pagination Styler for WooCommerce | Broken Access Control (BAC) |
| Paytium: Mollie payment forms & donations | Multiple Missing Authorization (BAC) |
| photographer-directory | Privilege Escalation (BAC) |
| Popup Maker | Unauthenticated Access (BAC) to debug log |
| Popup Maker | Broken Access Control (BAC) |
| Preview Link Generator | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| Product Tabs Manager for WooCommerce | Broken Access Control (BAC) |
| Product Watermark for WooCommerce | Broken Access Control (BAC) |
| Products Compare for WooCommerce | Broken Access Control (BAC) |
| Products Suggestions for WooCommerce | Broken Access Control (BAC) |
| ProfileGrid | Broken Access Control (BAC) |
| QuickSwish | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| RapidLoad Power-Up for Autoptimize | Multiple Missing Authorization (BAC) |
| Real Estate 7 Theme | Unauthenticated Arbitrary Email Sending (BAC) |
| Real Estate Directory Theme | Authenticated Arbitrary Plugin Activation (BAC) |
| real-estate-pro | Privilege Escalation (BAC) |
| Redirect Redirection | Cross-Site Request Forgery (CSRF) to Plugin Uninstallation (BAC) |
| Resoto Theme | Broken Access Control (BAC) to Arbitrary Plugin Activation (BAC) |
| Rife Elementor Extensions & Templates | Broken Access Control (BAC) |
| Safe SVG | Cross-Site Scripting (XSS) Bypass (BAC) |
| Sales Report for WooCommerce | Broken Access Control (BAC) |
| SEO Plugin by Squirrly SEO | Broken Access Control (BAC) |
| Sequential Order Numbers for WooCommerce | Broken Access Control (BAC) |
| Site Reviews | Broken Access Control (BAC) |
| Stock Sync for WooCommerce | Broken Access Control (BAC) |
| Stock Ticker | Broken Access Control (BAC) |
| Terms and Conditions Popup for WooCommerce | Broken Access Control (BAC) |
| TH Side Cart and Menu Cart for Woocommerce | Broken Access Control (BAC) |
| Total Poll Lite | Broken Access Control (BAC) |
| Total Theme | Authenticated Arbitrary Plugin Activation (BAC) |
| Types | Authenticated Arbitrary File Upload (BAC) |
| UpdraftPlus | Broken Access Control (BAC) |
| WC Sales Notification | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| WooCommerce Checkout Field Manager | Unauthenticated Arbitrary File Upload (BAC) |
| WooCommerce Payments | Unauthenticated Privilege Escalation (BAC) |
| WordPress Console | Broken Access Control (BAC) |
| WP Education | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| WP Film Studio | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| WP Insurance | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| WP News | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| WP Plugin Manager | Arbitrary Plugin Activation (BAC) via Cross-Site Request Forgery (CSRF) |
| WP Shamsi | Attachment Deletion (BAC) |
| WPCode | Library Authenticated Key Update/Deletion (BAC) |
| Yet Another Stars Rating | Cross-Site Scripting (XSS) & Arbitrary Shortcode Execution (BAC) |
| WordPress Broken Access Control reported in 2023 so far | 156 |
Stay Healthy! A healthier online business starts today and it begins with your WP/Woo. Hire security experts to solve all your Broken Access Control APR 2023 issues.
BRIEF: Broken Access Control APR 2023 are critical security vulnerabilities in which attackers can perform any action (access, modify, delete) outside of WordPress or WooCommerce intended default user permissions (subscriber, customer, etc).
What is Broken Access Control?
A security threat, where intruders are able to gain access to unauthorized data. Broken access control is a failure on the OWN security to carry out and maintain pre-established user access policies. Bypassing intended permissions, intruders become able to reach sensitive information, modify and outright delete or download data, or perform business functions that you wouldn’t want them to perform. Like ordering a single product, paying and after confirmation tampering the saved cart ordered item numbers.
Broken access control vulnerabilities can have far-reaching consequences. Privileged data could be exposed, malware could be loaded to further attacks and destruction. Beyond the initial breach, companies face litigation, damage control, loss of market share and reputation, repair of compromised systems, and delays in deploying live improvements. With exploits and attacks more prevalent than ever, ensuring your system’s security is more important than ever.
What is Insecure Direct Object Reference (IDOR)?
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. It leads to access controls being circumvented. IDOR vulnerabilities are most commonly associated with reaching resources from database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
What is Missing Authorization?
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including sensitive and private information exposures, remote or arbitrary code execution.
What is Directory or Path Traversal?
Directory traversal (or file path traversal) is a security vulnerability that allows an attacker to read specific files on the server that is running inside your WordPress or WooCommerce. This might include plugin or theme code and data, credentials for back-end systems, 3rd party integrations, hosting environment details, or sensitive operating system files. In some cases, an attacker might be able to write into these files on the server, allowing them to modify application data or behavior, and ultimately taking full control of the infrastructure.
SOLVE TODAY any reported Broken Access Control APR 2023 vulnerability! Do you suspect any Broken Access Control APR 2023 in your WordPress / WooCommerce?
