WP BAC APR 2025
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC APR 2025 is a +8% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC APR 2025: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
Admin and Site Enhancements (ASE) | Limit Login Attempt Bypass (BAC) from IP Spoofing |
Administrator Z | Missing Authorization (BAC) to Options Update (BAC) |
Ads by WPQuads | Broken Access Control (BAC) |
Advanced Dewplayer | Broken Access Control (BAC) |
Advanced File Manager | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Advanced iFrame | Unauthenticated Settings Update (BAC) |
Aiomatic | Missing Authorization (BAC) to Multiple Administrator Actions |
Aiomatic | Missing Authorization (BAC) to File Upload (BAC) |
Altair Theme | Unauthenticated Options Update (BAC) from pp_import_current |
Amazing service box Addons For WPBakery Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Analytify | Private Settings Change (BAC) |
Animation Addons for Elementor Pro | Missing Authorization (BAC) to Plugin Installation/Activation (BAC) |
Ayyash Studio | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
bbPress | Cross-Site Request Forgery (CSRF) and Limited Privilege Escalation (BAC) |
Big Store Theme | Broken Access Control (BAC) |
Bit Assist | Path Traversal (BAC) |
Bitspecter Suite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Block Spam By Math Reloaded | Broken Access Control (BAC) |
BoomBox Theme Extensions | Privilege Escalation (BAC) from Password Reset/Account Takeover (BAC) in boombox_ajax_reset_password |
BP Email Assign Templates | Content Deletion (BAC) |
BWL Advanced FAQ Manager | Missing Authorization (BAC) to Limited Options Update (BAC) |
Chatbox Manager | Broken Access Control (BAC) |
cits-support-svg-webp-media-upload | Cross-Site Request Forgery (CSRF) and Font Assignment Deletion (BAC) |
Civi Theme | Authentication Bypass (BAC) from Non-Randomized Password for SSO Accounts |
Civi Theme | Authentication Bypass (BAC) from Password Update |
Clear Sucuri Cache | Broken Access Control (BAC) |
CM Download Manager | File Deletion (BAC) |
Code Snippets CPT | Shortcode Execution (BAC) |
Content Control | Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure |
Conversiosio | Broken Access Control (BAC) |
Cookiebot | Missing Authorization (BAC) to Survey Submission |
Cool Author Box | Broken Access Control (BAC) |
CozyStay Theme | Missing Authorization (BAC) to Action Execution (BAC) in ajax_handler |
CRM and Lead Management by vcita | Missing Authorization (BAC) to Widget Toggle |
CS Framework | File Deletion (BAC) |
CS Framework | File Read (BAC) |
CSV to Responsive Tables | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
DesignThemes Core Features | Missing Authorization (BAC) to Unauthenticated File Read (BAC) from dt_process_imported_file |
Directorist | Missing Authorization (BAC) to Unauthenticated Post Publishing |
Download Manager | Path Traversal (BAC) to Limited File Overwrite |
Drag and Drop Multiple File Upload (BAC) – Contact Form 7 | Unauthenticated File Deletion (BAC) |
Drag and Drop Multiple File Upload (BAC) – Contact Form 7 | Unauthenticated PHP Object Injection (RCE) from PHAR to File Deletion (BAC) |
WordPress Eco Nature - Environment & Ecology WordPress theme | Missing Authorization (BAC) to Limited Options Update (BAC) |
Edd Google Sheet Connector Pro | Cross-Site Request Forgery (CSRF) and Access Code Update (BAC) |
Eventin | Missing Authorization (BAC) to Unauthenticated Payment Status Update (BAC) |
EventPrime | Missing Authorization (BAC) to Private Event Attendees Export |
Event Tickets with Ticket Scanner | Tickets Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
Exchange Rates | Broken Access Control (BAC) |
External image replace | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
File Away | Missing Authorization (BAC) to Unauthenticated File Read (BAC) |
File Away | Missing Authorization (BAC) to Unauthenticated File Upload (BAC) from upload Function |
Five Star Restaurant Reservations | Broken Access Control (BAC) |
Flex Mag Theme | Missing Authorization (BAC) to Option Deletion (BAC) |
Flipdish Ordering System | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
Float menu | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
FluentForm | IP-Spoofing (BAC) |
FoodBakery | Missing Authorization (BAC) in Multiple Functions |
FooGallery | Insecure Direct Object Reference (IDOR) to Post/Page Updates (BAC) |
Football Pool | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
GetShop ecommerce | Path Traversal (BAC) |
GiveWP | Missing Authorization (BAC) to Unauthenticated Earning Reports Private Disclosure from give_reports_earnings Function |
Golo Theme | Missing Authorization (BAC) to Privilege Escalation (BAC) from Unauthenticated User Password Change |
Google Sheet Connector for Easy Digital Downloads | Cross-Site Request Forgery (CSRF) and Access Code Update (BAC) |
Greek Multi Tool – Fix peralinks, accents, auto create menus and more | Broken Access Control (BAC) |
GS Logo Slider | Unauthenticated Shortcode Execution (BAC) |
WordPress Hero Mega Menu - Responsive WordPress Menu Plugin | Missing Authorization (BAC) to Directory Deletion (BAC) |
Homey Theme | Unauthenticated Privilege Escalation (BAC) in homey_save_profile |
Homey Theme | Limited Authentication Bypass (BAC) due to Missing Empty Value Check |
Image Captcha | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
Image Slider / Slideshow Pearlbells | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
Import Export WordPress Users | Directory Traversal to Limited File Deletion (BAC) from admin_log_page Function |
Import Export WordPress Users | Directory Traversal to Limited File Read (BAC) from download_file Function |
Industrial Theme | Missing Authorization (BAC) to Options Update (BAC) |
Inline Image Upload for BBPress | File Upload (BAC) |
Instant Appointment | Unauthenticated File Upload (BAC) |
InWave Jobs | Unauthenticated Privilege Escalation (BAC) from Password Reset |
IP Based Login | Log Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
Javo Core | Unauthenticated Privilege Escalation (BAC) in ajax_signup |
JobCareer Theme | Missing Authorization (BAC) to Multiple Administrative Actions |
Jobs for WordPress | File Read (BAC) |
JS Help Desk | File Download (BAC) |
JS Help Desk | File Deletion (BAC) |
JS Help Desk | Broken Access Control (BAC) |
Just Writing Statistics | Broken Access Control (BAC) |
King Addons for Elementor | Broken Access Control (BAC) |
Lafka Theme | Missing Authorization (BAC) to Demo Import |
LearnPress | Broken Access Control (BAC) |
LifterLMS | Missing Authorization (BAC) to Unauthenticated Post Trashing |
Listingo Theme | Unauthenticated Shortcode Execution (BAC) |
Live Forms | Private Settings Change (BAC) |
LoginPress | Cross-Site Request Forgery (CSRF) and Options Update (BAC) |
Material Dashboard | Privilege Escalation (BAC) |
Menu Duplicator | Broken Access Control (BAC) |
miniOrange Social Login and Register Pro Addon | Authentication Bypass (BAC) |
MorningTime Lite Theme | Cross-Site Scripting (XSS)Remote Code Execution (BAC) |
Moving Media Library | Directory Traversal to File Deletion (BAC) |
Music Press Pro | Broken Access Control (BAC) |
Newscrunch Theme | File Upload (BAC) |
Newscrunch Theme | Cross-Site Request Forgery (CSRF) and File Upload (BAC) |
Order Export & Order Import for WooCommerce | Directory Traversal to Limited File Deletion (BAC) from admin_log_page Function |
Order Export & Order Import for WooCommerce | Directory Traversal to Limited File Read (BAC) from download_file Function |
PageLayer | Missing Authorization (BAC) to Post Publication |
PDF for WPForms | Shortcode Execution (BAC) |
Photo Slideshow (Responsive) | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
PluginPass | File Download/Delete (BAC) |
Post Meta Data Manager | Authentciated Multisite Privilege Escalation (BAC) |
Product Import Export for WooCommerce | Directory Traversal to Limited File Read (BAC) from download_file Function |
publish post email notification | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
Quiz Cat | Broken Access Control (BAC) |
Realteo | Authentication Bypass (BAC) from 'do_register_user' |
Recapture for WooCommerce | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
Resido | Missing Authorization (BAC) to Unauthenticated Server-Side Request Forgery (SSRF) and API Key Settings Update (BAC) |
Responsive Google Map | Broken Access Control (BAC) |
RomethemeKit For Elementor | Plugin Installation/Activation (BAC) to Remote Code Execution (RCE) |
School Management | Account Takeover (BAC) and Privilege Escalation (BAC) |
School Management | Missing Authorization (BAC) to Unauthenticated Post Deletion (BAC) |
Search Filter Pro | Missing Authorization (BAC) to Private Post Meta Exposure |
SecuPress Free | Broken Access Control (BAC) |
SecuPress Free | Broken Access Control (BAC) |
Secure Copy Content Protection and Content Locking | Missing Authorization (BAC) to Unauthenticated User Email Retrieval from ays_sccp_reports_user_search Function |
Sensei LMS | Broken Access Control (BAC) |
SEO Plugin by Squirrly SEO | Broken Access Control (BAC) |
Service Finder Booking | Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC) |
ShareThis Dashboard for Google Analytics | Missing Authorization (BAC) to Unauthenticated Feature Deactivation |
Shortcode Cleaner Lite | Missing Authorization (BAC) to Private Options Export |
Shortcodes by United Themes | Unauthenticated Shortcode Execution (BAC) |
Simple Download Counter | File Read (BAC) |
Simple Photo Feed | Broken Access Control (BAC) |
Simply Schedule Appointments | Unauthenticated Shortcode Execution (BAC) |
SMTP by BestWebSoft | File Upload (BAC) |
SNORDIAN's H5PxAPIkatchu | Broken Access Control (BAC) |
So-Called Air Quotes | Unauthenticated Shortcode Execution (BAC) |
SoJ SoundSlides | File Upload (BAC) |
Solace Extra | File Upload (BAC) |
SoundRise Music | Options Update (BAC) |
sourceplay-navermap | Broken Access Control (BAC) |
Sparkling Theme | Missing Authorization (BAC) to Unauthenticated Plugin Activation/Deactivation (BAC) (BAC) |
Specific Content For Mobile | Broken Access Control (BAC) |
Taxi Booking Manager for WooCommerce | Broken Access Control (BAC) |
teachPress | Cross-Site Request Forgery (CSRF) and Import Delete (BAC) |
Terms & Conditions Per Product | Broken Access Control (BAC) |
Textmetrics | Broken Access Control (BAC) |
ThemeEgg ToolKit | File Upload (BAC) |
Tickera | Broken Access Control (BAC) |
Timetics | Broken Access Control (BAC) |
Top Bar | Broken Access Control (BAC) |
Traveler Theme | Broken Access Control (BAC) |
Traveler Theme | Broken Access Control (BAC) |
TrustReviews | Broken Access Control (BAC) |
UiPress lite | Missing Authorization (BAC) to Options Update (BAC) |
uListing | Privilege Escalation (BAC) |
Ultimate Auction | Missing Authorization (BAC) to Post Deletion (BAC) |
Ultimate Dashboard | Missing Authorization (BAC) to Plugin Modules Activation/Deactivation (BAC) |
Ultimate Video Player | Unauthenticated File Download (BAC) |
User Registration | Unauthenticated Privilege Escalation (BAC) |
VidoRev Extensions | Missing Authorization (BAC) to Unauthenticated Youtube Video Import |
VK Blocks | Missing Authorization (BAC) to Private Information Exposure |
VW Storefront Theme | Missing Authorization (BAC) to Settings Reset |
WC Affiliate | Missing Authorization (BAC) to Private Information Exposure from wf-export-all |
WooMail | Missing Authorization (BAC) to SQL Injection (SQLi) |
WordPress Awesome Import & Export Plugin - Import & Export WordPress Data | Missing Authorization (BAC) to SQL Execution (SQLi) and Privilege Escalation (BAC) |
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto | Cross-Site Request Forgery (CSRF) and Results Deletion (BAC) |
Workreap Theme | Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC) |
WP01 | File Download (BAC) |
WPCOM Member | Authentication Bypass (BAC) from 'user_phone' |
WP Compress – Image Optimizer [All-In-One] | Missing Authorization (BAC) from Multiple Functions |
WP Crowdfunding | Missing Authorization (BAC) to Post Content Download |
WPCS | Unauthenticated Shortcode Execution (BAC) |
WPCS | Unauthenticated Shortcode Execution (BAC) |
WPC Smart Upsell Funnel for WooCommerce | Option Update to Privilege Escalation (BAC) |
WP ERP | Broken Access Control (BAC) |
WpEvently | Broken Access Control (BAC) |
WP Fast Total Search | Broken Access Control (BAC) |
WP JobHunt | Authentication Bypass (BAC) to Candidate |
WP JobHunt | Authentication Bypass (BAC) |
WP JobHunt | Unauthenticated Privilege Escalation (BAC) from Password Reset/Account Takeover (BAC) |
WP Online Contract | Missing Authorization (BAC) to Unauthenticated Settings Import |
WP Performance Pack | Broken Access Control (BAC) |
WP Real Estate Manager | Authentication Bypass (BAC) from Account Takeover (BAC) |
WPSchoolPress | Missing Authorization (BAC) to User Deletion (BAC) |
WPSchoolPress | Missing Authorization (BAC) to Privilege Escalation (BAC) from Account Takeover (BAC) |
Your Simple SVG Support | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Zass Theme | Missing Authorization (BAC) to Demo Import |
Z Companion | Broken Access Control (BAC) |
Zegen Theme | Missing Authorization (BAC) to Theme Options Update (BAC)s |
WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
WP BAC & WordPress Broken Access Control reported in 2024: | 2024 |
WP BAC & WordPress Broken Access Control reported in 2025: | 834 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC APR 2025: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.