WP BAC APR 2024
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC APR 2024 is a +8% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC APR 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| 360 Javascript Viewer | Missing Authorisation (BAC) to Plugin Settings Update (BAC) |
| Accordion | Missing Authorisation (BAC) to Post Duplication |
| Advanced Classifieds & Directory Pro | Missing Authorisation (BAC) to Arbitrary Attachment Deletion (BAC) |
| affiliate-toolkit | Missing Authorisation (BAC) via atkp_create_list |
| affiliate-toolkit | Missing Authorisation (BAC) via atkp_import_product |
| AI Engine: ChatGPT Chatbot | Arbitrary File Upload (BAC) |
| AI WP Writer | Broken Access Control (BAC) |
| Ajax Load More | Directory Traversal (BAC) to Arbitrary File Read (BAC) |
| ArtiBot | Missing Authorisation (BAC) to Settings Update (BAC) |
| Auto Affiliate Links | Missing Authorisation (BAC) via aalAddLink |
| Avada Theme | Unauthenticated Sensitive Information Exposure via Form Upload (BAC) Directory Listing |
| Awesome Support | Broken Access Control (BAC) |
| Backuply – Backup, Restore, Migrate and Clone | Directory Traversal (BAC) |
| BEAR | Broken Access Control (BAC) |
| Booking Package | Price Manipulation (BAC) |
| Booster Elite for WooCommerce | Arbitrary File Upload (BAC) |
| BuddyForms | Missing Authorisation (BAC) to Unauthenticated Media Deletion (BAC) |
| BuddyForms | Missing Authorisation (BAC) |
| BuddyForms | Missing Authorisation (BAC) to Unauthenticated Media Upload (BAC) |
| Build & Control Block Patterns | Missing Authorisation (BAC) |
| Bulgarisation for WooCommerce | Missing Authorisation (BAC) |
| Calendarista Basic Edition | Broken Access Control (BAC) |
| Categorify | Multiple Missing Authorisation (BAC) |
| CGC Maintenance Mode | IP Filtering Bypass (BAC) |
| Change Memory Limit | Missing Authorisation (BAC) via admin_logic() |
| Chauffeur Taxi Booking System for WordPress | Arbitrary File Upload (BAC) |
| Church Admin | Broken Access Control (BAC) |
| CM Download Manager | Download Edit (BAC) via Cross-Site Request Forgery (CSRF) |
| CM Download Manager | Download Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
| CM Download Manager | Download Unpublish (BAC) via Cross-Site Request Forgery (CSRF) |
| Colibri Page Builder | Broken Access Control (BAC) |
| Colibri Page Builder | Missing Authorisation (BAC) |
| Coming Soon, Under Construction & Maintenance Mode By Dazzler | Maintenance Mode Bypass (BAC) |
| Complianz – GDPR/CCPA Cookie Consent | Cross-Site Request Forgery (CSRF) to Data Request Deletion (BAC) |
| Contests by Rewards Fuel | Cross-Site Scripting (XSS) via Update (BAC)_rewards_fuel_api_key |
| Cryptocurrency Widgets – Price Ticker & Coins List | Broken Access Control (BAC) |
| CubeWP – All-in-One Dynamic Content Framework | Arbitrary File Upload (BAC) |
| DELUCKS SEO | Broken Access Control (BAC) |
| DX-Watermark | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) and Cross-Site Scripting (XSS) |
| Easy Appointments | Insufficient Authorisation (BAC) |
| Enjoy Social Feed plugin for WordPress website | Plugin Database Reset (BAC) |
| Error Log Viewer by BestWebSoft | Directory Listing (BAC) to Private Data Exposure |
| Essential Blocks for Gutenberg | Broken Access Control (BAC) |
| Event Tickets | Improper Authorisation (BAC) to Private Information Disclosure |
| EventPrime | Multiple Missing Authorisation (BAC) |
| EventPrime | Multiple Missing Authorisation (BAC) |
| EventPrime | Multiple Missing Authorisation (BAC) |
| Events Manager | Broken Access Control (BAC) |
| File Manager | Cross-Site Request Forgery (CSRF) to Local JS File Inclusion (BAC) |
| File Manager | Directory Traversal (BAC) |
| File Manager Pro | Directory Traversal (BAC) |
| Finale Lite | Missing Authorisation (BAC) to Unauthenticated System Private Information Disclosure |
| Formidable Registration | Arbitrary User Password Reset (BAC) to Account Takeover |
| Graphene Theme | Missing Authorisation (BAC) |
| HT Easy GA4 ( Google Analytics 4 ) | Missing Authorisation (BAC) to Unauthenticated GA Email Update (BAC) |
| HT Mega | Directory Traversal (BAC) |
| Import Export WordPress Users | Path Traversal (BAC) |
| IP Blocker Lite | Bypass (BAC) |
| JCH Optimise | Broken Access Control (BAC) |
| Klarna Payments for WooCommerce | Broken Access Control (BAC) |
| LadiApp | Missing Authorisation (BAC) |
| Layouts for Elementor | Arbitrary File Upload (BAC) |
| Management App for WooCommerce | Arbitrary File Upload (BAC) |
| Master Slider | Cross-Site Scripting (XSS) via slider callback |
| MasterStudy LMS | Missing Authorisation (BAC) to Sensitive Information Exposure in search_posts |
| Max Mega Menu | Broken Access Control (BAC) |
| Mollie Forms | Missing Authorisation (BAC) to Arbitrary Post Duplication |
| Mollie Forms | Missing Authorisation (BAC) |
| Move Addons for Elementor | Broken Access Control (BAC) |
| MP3 Audio Player for Music, Radio & Podcast by Sonaar | Broken Access Control (BAC) |
| Multiple Page Generator Plugin – MPG | Broken Access Control (BAC) |
| Networker Theme | Missing Authorisation (BAC) |
| New Order Notification for Woocommerce | Broken Access Control (BAC) |
| Newsletter | IP Blacklist Bypass (BAC) |
| NextMove Lite | Missing Authorisation (BAC) to Unauthenticated System Private Information Disclosure |
| OceanWP Theme | Missing Authorisation (BAC) to Sensitive Information Exposure via LimitedLocal File Inclusion (BAC) |
| Olive One Click Demo Import | Broken Access Control (BAC) |
| Order Tip for WooCommerce | Missing Authorisation (BAC) to Unauthenticated Data Export |
| Otter Blocks PRO | Unauthenticated Cross-Site Scripting (XSS) via SVG Upload (BAC) |
| Page Builder Sandwich – Front-End Page Builder | Missing Authorisation (BAC) to Arbitrary Post Editing |
| PageLayer | Broken Access Control (BAC) |
| Permalink Manager Lite | Missing Authorisation (BAC) via get_uri_editor |
| Permalink Manager Lite | Missing Authorisation (BAC) to Arbitrary post slug modification |
| Pie Register | Unauthenticated Arbitrary File Upload (BAC) |
| Play.ht | Missing Authorisation (BAC) |
| Pods | Missing Authorisation (BAC) |
| Premmerce Permalink Manager for WooCommerce | Local File Inclusion (BAC) |
| Product Import Export for WooCommerce | Arbitrary File Upload (BAC) |
| RegistrationMagic | Privilege Escalation (BAC) |
| Restaurant Reservations | Directory Traversal (BAC) to Local File Inclusion (BAC) |
| RevivePress | Missing Authorisation (BAC) |
| RT Easy Builder – Advanced addons for Elementor | Broken Access Control (BAC) |
| Salon booking system | Arbitrary File Upload (BAC) |
| Shortcode Addons | Arbitrary File Upload (BAC) |
| Shortcodes and extra features for Phlox Theme | Broken Access Control (BAC) |
| Shortlinks by Pretty Links | Cross-Site Request Forgery (CSRF) to Plugin Settings Update (BAC) |
| Simple Restrict | Missing Authorisation (BAC) to Sensitive Information Exposure |
| Simply Schedule Appointments | Cross-Site Request Forgery (CSRF) to Plugin Data Reset (BAC) |
| Sirv | Broken Access Control (BAC) |
| Sliced Invoices | Broken Access Control (BAC) |
| Smart Custom Fields | Missing Authorisation (BAC) to Post Content Private Information Disclosure |
| Social Icons Widget & Block by WPZOOM | Broken Access Control (BAC) |
| SP Project & Document Manager | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
| Spiffy Calendar | Broken Access Control (BAC) |
| SportsPress – Sports Club & League Manager | Missing Authorisation (BAC) to Unauthenticated Event Permalink Update (BAC) |
| Tainacan | Broken Access Control (BAC) |
| TeraWallet – For WooCommerce | Missing Authorisation (BAC) to User Email Export |
| Testimonial Slider | Settings Update (BAC) |
| The Plus Addons for Elementor Page Builder Lite | Local File Inclusion (BAC) |
| Total Theme | Missing Authorisation (BAC) to Sections Update (BAC) |
| Tourfic | Arbitrary File Upload (BAC) |
| Tumult Hype Animations | Arbitrary File Upload (BAC) |
| Tutor LMS | Missing Authorisation (BAC) to Arbitrary Post Deletion (BAC) |
| Ultimate Gift Cards For WooCommerce | Missing Authorisation (BAC) to Unauthenticated Information Exposure |
| VS Contact Form | Captcha Bypass (BAC) |
| weForms | Broken Access Control (BAC) |
| Whizzy | Broken Access Control (BAC) |
| WholesaleX | Broken Access Control (BAC) |
| WooCommerce Add to Cart Custom Redirect | Missing Authorisation (BAC) to Limited Arbitrary Options Update (BAC) |
| WooCommerce Cloak Affiliate Links | Missing Authorisation (BAC) to Unauthenticated Permalink Modification |
| WooCommerce Clover Payment Gateway | Missing Authorisation (BAC) via callback_handler |
| WooCommerce Multilingual & Multicurrency | Broken Access Control (BAC) |
| WP Compress – Image Optimiser [All-In-One] | Missing Authorisation (BAC) to Unauthenticated CDN Modification |
| WP Express Checkout (Accept PayPal Payments) | Price Manipulation (BAC) |
| WP Hotel Booking | Broken Access Control (BAC) |
| WP SendFox | Broken Access Control (BAC) |
| Wp Social | Missing Authorisation (BAC) to Unauthenticated Social Login/Share Status Update (BAC) |
| WPC Management for WooCommerce | Broken Access Control (BAC) |
| YITH WooCommerce Account Funds Premium | Broken Access Control (BAC) |
| Zippy | Arbitrary File Upload (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 343 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC APR 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.
We’re passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.
