Broken Access Control JUL 2023 Vulnerabilities
Tailored WordPress Security Report
Be informed about the latest Broken Access Control JUL 2023, identified and reported publicly. It is a +35% INCREASE compared to previous month, as specifically targeted Broken Access Control. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for tailored WP Security. The following cases made headlines PUBLICLY just last month in the Broken Access Control JUL 2023 category:
Hire security geeks to protect your WP/Woo from publicly reported cases of Broken Access Control JUL 2023 BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
| Abandoned Cart Lite for WooCommerce | Authentication Bypass (BAC) |
| AutomateWoo | Broken Access Control (BAC) |
| B2BKing | Price Modification (BAC) |
| B2BKing | Information Disclosure (BAC) |
| B2BKing Premium | Product Price Change (BAC) |
| BBS e-Popup | Broken Access Control (BAC) |
| BookIt | Authentication Bypass (BAC) |
| Brizy – Page Builder | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| Caldera Forms Google Sheets Connector | Access (BAC) Code Update via Cross-Site Request Forgery (CSRF) |
| Cart2Cart: Magento to WooCommerce Migration | Broken Access Control (BAC) |
| Change WooCommerce Add To Cart Button Text | Broken Access Control (BAC) |
| CHP Ads Block Detector | Broken Access Control (BAC) |
| CMS Commander | Authorization Bypass (BAC) through Use of Insufficiently Unique Cryptographic Signature |
| Constant Contact Forms | Broken Access Control (BAC) |
| Contact Form & Lead Form Elementor Builder | Broken Access Control (BAC) |
| Contact Form by WD | Missing Authorization (BAC) in check_score |
| Contact Forms by Cimatti | Broken Access Control (BAC) |
| Core Web Vitals & PageSpeed Booster | Open Redirection (BAC) |
| Directorist | Arbitrary Content Deletion (BAC) |
| Directorist | Privilege Escalation (BAC) |
| Directorist | Arbitrary Post Deletion (BAC) |
| Dokan | PHP Object Injection (BAC) |
| Download Manager | Broken Access Control (BAC) |
| Download Monitor | Arbitrary File Upload (BAC) |
| Draw Attention | Missing Authorization (BAC) to Arbitrary Post Featured Image Modification (BAC) (BAC) |
| Duplicate Post Page Menu & Custom Post Type | Broken Access Control (BAC) |
| Dynamic Visibility for Elementor | Broken Access Control (BAC) |
| Elementor Pro | Broken Access Control (BAC) |
| Enhanced Text Widget | Broken Access Control (BAC) |
| EventON | Unauthenticated Event Access (BAC) |
| EventON | Unauthenticated Post Access (BAC) via Insecure Direct Object References (IDOR) |
| Extended Post Status | Broken Access Control (BAC) |
| Fat Rat Collect | Broken Access Control (BAC) |
| Feather Login Page | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| Feather Login Page | Missing Authorization (BAC) to Authentication Bypass (BAC) and Privilege Escalation (BAC) |
| Feather Login Page | Missing Authorization (BAC) to Non-Arbitrary User Deletion (BAC) |
| File Uploader | Path Traversal (BAC) |
| Form Builder | CSV Injection (BAC) |
| Gallery Metabox | Missing Authorization (BAC) via gallery_remove |
| Gallery Metabox | Missing Authorization (BAC) |
| WordPress Go Pricing – WordPress Responsive Pricing Tables | Broken Access Control (BAC) |
| Gravity Forms | Unauthenticated PHP Object Injection (BAC) |
| Gutenverse | Broken Access Control (BAC) |
| Headless CMS | Broken Authentication (BAC) |
| Image Map Pro | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
| JS Help Desk – Best Help Desk & Support Plugin | IDOR Leading To Ticket Deletion (BAC) |
| KiviCare | Sensitive Information Disclosure (BAC) |
| MainWP Child | Information Disclosure (BAC) via Back-Up Files |
| MasterStudy LMS | Broken Access Control (BAC) |
| Members | Missing Authorization (BAC) to Settings Update |
| Metform Elementor Contact Form Builder | Information Disclosure (BAC) via ‘mf_payment_status’ shortcode |
| Metform Elementor Contact Form Builder | Unauthenticated CSV Injection (BAC) |
| Metform Elementor Contact Form Builder | Information Disclosure (BAC) via mf_last_name shortcode |
| Metform Elementor Contact Form Builder | Information Disclosure (BAC) via mf_last_name shortcode |
| Metform Elementor Contact Form Builder | Information Disclosure (BAC) via mf_thankyou shortcode |
| Metform Elementor Contact Form Builder | Information Disclosure (BAC) via ‘mf_transaction_id’ shortcode |
| Metform Elementor Contact Form Builder | Information Disclosure (BAC) via mf shortcode |
| MStore API | Missing Authorization (BAC) |
| Nested Pages | Missing Authorization (BAC) to Plugin Settings Reset (BAC) |
| Newspaper X | Unauthenticated Plugin Activation/Deactivation (BAC) |
| Ninja Forms | Arbitrary File Deletion (BAC) (BAC) |
| Online Booking & Scheduling Calendar for WordPress by vcita | Missing Authorization (BAC) to Account Logout |
| Online Booking & Scheduling Calendar for WordPress by vcita | Missing Authorization (BAC) on REST-API |
| Online Booking & Scheduling Calendar for WordPress by vcita | Missing Authorization (BAC) to Settings Update and Media Upload |
| Page Builder with Image Map by AZEXO | Missing Authorization (BAC) to Post Creation |
| Photo Gallery by 10Web | Broken Access Control (BAC) |
| Post Hit Counter | Broken Access Control (BAC) |
| Post to CSV by BestWebSoft | CSV Injection (BAC) |
| Protect WP Admin | Unauthenticated Protection Bypass (BAC) |
| ReDi Restaurant Reservation | Broken Access Control (BAC) |
| Restrict Content | Missing Authorization (BAC) to Notice Dismissal |
| ReviewX | Arbitrary Usermeta Update to Privilege Escalation (BAC) |
| Social Media & Share Icons | Broken Access Control (BAC) & Cross-Site Request Forgery (CSRF) |
| Spam protection, AntiSpam, FireWall by CleanTalk | Broken Access Control (BAC) |
| Subscribe2 | Missing Authorization (BAC) |
| SW Product Bundles | Broken Access Control (BAC) |
| Th Product Compare | Broken Access Control (BAC) |
| Tutor LMS | Unauthenticated Access (BAC) to Tutor LMS Lesson Resources via REST API |
| Uncanny Toolkit for LearnDash | Open Redirection (BAC) |
| Uncanny Toolkit for LearnDash | Broken Access Control (BAC) |
| Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | Multiple Broken Access Control (BAC) |
| Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | Arbitrary File Upload (BAC) |
| Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | Unrestricted Zip Extraction (BAC) |
| Upload Resume | Captcha Bypass (BAC) |
| User Email Verification for WooCommerce | Authentication Bypass (BAC) via weak token generation |
| WooCommerce Stripe Payment Gateway | Unauthenticated Broken Access Control (BAC) |
| Wordapp | Authorization Bypass (BAC) through Use of Insufficiently Unique Cryptographic Signature |
| WP Activity Log | Information Leak (BAC) |
| WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | CSV Injection (BAC) |
| WP Directory Kit | Missing Authorization (BAC) to Plugin Settings Change (BAC)/Delete, Demo Import, Directory Kit Deletion (BAC) via wdk_admin_action |
| WP Hide Post | Cross-Site Request Forgery (CSRF) Leading To Post Status Change (BAC) |
| WP Inventory Manager | Inventory Items Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
| WP Mail Logging | Missing Authorization (BAC) to Notice Dismissal |
| WP Post Author | Privilege Escalation (BAC) |
| WP User Switch | Authentication Bypass (BAC) via Cookie |
| Zippy | PHP Object Injection (BAC) |
| WordPress Broken Access Control reported in 2023 so far | 377 |
Stay Healthy! A healthier online business starts today and it begins with your WP/Woo. Hire security experts to solve all your Broken Access Control JUL 2023 issues.
BRIEF: Broken Access Control JUL 2023 are critical security vulnerabilities in which attackers can perform any action (access, modify, delete) outside of WordPress or WooCommerce intended default user permissions (subscriber, customer, etc).
What is Broken Access Control?
A security threat, where intruders are able to gain access to unauthorized data. Broken access control is a failure on the OWN security to carry out and maintain pre-established user access policies. Bypassing intended permissions, intruders become able to reach sensitive information, modify and outright delete or download data, or perform business functions that you wouldn’t want them to perform. Like ordering a single product, paying and after confirmation tampering the saved cart ordered item numbers.
Broken access control vulnerabilities can have far-reaching consequences. Privileged data could be exposed, malware could be loaded to further attacks and destruction. Beyond the initial breach, companies face litigation, damage control, loss of market share and reputation, repair of compromised systems, and delays in deploying live improvements. With exploits and attacks more prevalent than ever, ensuring your system’s security is more important than ever.
What is Insecure Direct Object Reference (IDOR)?
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. It leads to access controls being circumvented. IDOR vulnerabilities are most commonly associated with reaching resources from database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
What is Missing Authorization?
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including sensitive and private information exposures, remote or arbitrary code execution.
What is Directory or Path Traversal?
Directory traversal (or file path traversal) is a security vulnerability that allows an attacker to read specific files on the server that is running inside your WordPress or WooCommerce. This might include plugin or theme code and data, credentials for back-end systems, 3rd party integrations, hosting environment details, or sensitive operating system files. In some cases, an attacker might be able to write into these files on the server, allowing them to modify application data or behaviour, and ultimately taking full control of the infrastructure.
SOLVE TODAY any reported Broken Access Control JUL 2023 vulnerability! Do you suspect any Broken Access Control JUL 2023 in your WordPress / WooCommerce?
