Scroll Top

WP BAC APR 2025: Brutal 185(!) WP Broken Access Control

WP BAC APR 2025: WP BROKEN ACCESS CONTROL

WP BAC APR 2025

WP Broken Access Control

Managed WordPress Security Report

Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC APR 2025 is a +8% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.

WHO needs managed WP security? EVERYBODY!

Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC APR 2025: WP Broken Access Control Patch Management.

The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:

Admin and Site Enhancements (ASE) Limit Login Attempt Bypass (BAC) from IP Spoofing
Administrator Z Missing Authorization (BAC) to Options Update (BAC)
Ads by WPQuads Broken Access Control (BAC)
Advanced Dewplayer Broken Access Control (BAC)
Advanced File Manager Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Advanced iFrame Unauthenticated Settings Update (BAC)
Aiomatic Missing Authorization (BAC) to Multiple Administrator Actions
Aiomatic Missing Authorization (BAC) to File Upload (BAC)
Altair Theme Unauthenticated Options Update (BAC) from pp_import_current
Amazing service box Addons For WPBakery Page Builder Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Analytify Private Settings Change (BAC)
Animation Addons for Elementor Pro Missing Authorization (BAC) to Plugin Installation/Activation (BAC)
Ayyash Studio Cross-Site Scripting (XSS) from SVG File Upload (BAC)
bbPress Cross-Site Request Forgery (CSRF) and Limited Privilege Escalation (BAC)
Big Store Theme Broken Access Control (BAC)
Bit Assist Path Traversal (BAC)
Bitspecter Suite Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Block Spam By Math Reloaded Broken Access Control (BAC)
BoomBox Theme Extensions Privilege Escalation (BAC) from Password Reset/Account Takeover (BAC) in boombox_ajax_reset_password
BP Email Assign Templates Content Deletion (BAC)
BWL Advanced FAQ Manager Missing Authorization (BAC) to Limited Options Update (BAC)
Chatbox Manager Broken Access Control (BAC)
cits-support-svg-webp-media-upload Cross-Site Request Forgery (CSRF) and Font Assignment Deletion (BAC)
Civi Theme Authentication Bypass (BAC) from Non-Randomized Password for SSO Accounts
Civi Theme Authentication Bypass (BAC) from Password Update
Clear Sucuri Cache Broken Access Control (BAC)
CM Download Manager File Deletion (BAC)
Code Snippets CPT Shortcode Execution (BAC)
Content Control Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure
Conversiosio Broken Access Control (BAC)
Cookiebot Missing Authorization (BAC) to Survey Submission
Cool Author Box Broken Access Control (BAC)
CozyStay Theme Missing Authorization (BAC) to Action Execution (BAC) in ajax_handler
CRM and Lead Management by vcita Missing Authorization (BAC) to Widget Toggle
CS Framework File Deletion (BAC)
CS Framework File Read (BAC)
CSV to Responsive Tables Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC)
DesignThemes Core Features Missing Authorization (BAC) to Unauthenticated File Read (BAC) from dt_process_imported_file
Directorist Missing Authorization (BAC) to Unauthenticated Post Publishing
Download Manager Path Traversal (BAC) to Limited File Overwrite
Drag and Drop Multiple File Upload (BAC) – Contact Form 7 Unauthenticated File Deletion (BAC)
Drag and Drop Multiple File Upload (BAC) – Contact Form 7 Unauthenticated PHP Object Injection (RCE) from PHAR to File Deletion (BAC)
WordPress Eco Nature - Environment & Ecology WordPress theme Missing Authorization (BAC) to Limited Options Update (BAC)
Edd Google Sheet Connector Pro Cross-Site Request Forgery (CSRF) and Access Code Update (BAC)
Eventin Missing Authorization (BAC) to Unauthenticated Payment Status Update (BAC)
EventPrime Missing Authorization (BAC) to Private Event Attendees Export
Event Tickets with Ticket Scanner Tickets Deletion (BAC) from Cross-Site Request Forgery (CSRF)
Exchange Rates Broken Access Control (BAC)
External image replace Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC)
File Away Missing Authorization (BAC) to Unauthenticated File Read (BAC)
File Away Missing Authorization (BAC) to Unauthenticated File Upload (BAC) from upload Function
Five Star Restaurant Reservations Broken Access Control (BAC)
Flex Mag Theme Missing Authorization (BAC) to Option Deletion (BAC)
Flipdish Ordering System Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC)
Float menu Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC)
FluentForm IP-Spoofing (BAC)
FoodBakery Missing Authorization (BAC) in Multiple Functions
FooGallery Insecure Direct Object Reference (IDOR) to Post/Page Updates (BAC)
Football Pool Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC)
GetShop ecommerce Path Traversal (BAC)
GiveWP Missing Authorization (BAC) to Unauthenticated Earning Reports Private Disclosure from give_reports_earnings Function
Golo Theme Missing Authorization (BAC) to Privilege Escalation (BAC) from Unauthenticated User Password Change
Google Sheet Connector for Easy Digital Downloads Cross-Site Request Forgery (CSRF) and Access Code Update (BAC)
Greek Multi Tool – Fix peralinks, accents, auto create menus and more Broken Access Control (BAC)
GS Logo Slider Unauthenticated Shortcode Execution (BAC)
WordPress Hero Mega Menu - Responsive WordPress Menu Plugin Missing Authorization (BAC) to Directory Deletion (BAC)
Homey Theme Unauthenticated Privilege Escalation (BAC) in homey_save_profile
Homey Theme Limited Authentication Bypass (BAC) due to Missing Empty Value Check
Image Captcha Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC)
Image Slider / Slideshow Pearlbells Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC)
Import Export WordPress Users Directory Traversal to Limited File Deletion (BAC) from admin_log_page Function
Import Export WordPress Users Directory Traversal to Limited File Read (BAC) from download_file Function
Industrial Theme Missing Authorization (BAC) to Options Update (BAC)
Inline Image Upload for BBPress File Upload (BAC)
Instant Appointment Unauthenticated File Upload (BAC)
InWave Jobs Unauthenticated Privilege Escalation (BAC) from Password Reset
IP Based Login Log Deletion (BAC) from Cross-Site Request Forgery (CSRF)
Javo Core Unauthenticated Privilege Escalation (BAC) in ajax_signup
JobCareer Theme Missing Authorization (BAC) to Multiple Administrative Actions
Jobs for WordPress File Read (BAC)
JS Help Desk File Download (BAC)
JS Help Desk File Deletion (BAC)
JS Help Desk Broken Access Control (BAC)
Just Writing Statistics Broken Access Control (BAC)
King Addons for Elementor Broken Access Control (BAC)
Lafka Theme Missing Authorization (BAC) to Demo Import
LearnPress Broken Access Control (BAC)
LifterLMS Missing Authorization (BAC) to Unauthenticated Post Trashing
Listingo Theme Unauthenticated Shortcode Execution (BAC)
Live Forms Private Settings Change (BAC)
LoginPress Cross-Site Request Forgery (CSRF) and Options Update (BAC)
Material Dashboard Privilege Escalation (BAC)
Menu Duplicator Broken Access Control (BAC)
miniOrange Social Login and Register Pro Addon Authentication Bypass (BAC)
MorningTime Lite Theme Cross-Site Scripting (XSS)Remote Code Execution (BAC)
Moving Media Library Directory Traversal to File Deletion (BAC)
Music Press Pro Broken Access Control (BAC)
Newscrunch Theme File Upload (BAC)
Newscrunch Theme Cross-Site Request Forgery (CSRF) and File Upload (BAC)
Order Export & Order Import for WooCommerce Directory Traversal to Limited File Deletion (BAC) from admin_log_page Function
Order Export & Order Import for WooCommerce Directory Traversal to Limited File Read (BAC) from download_file Function
PageLayer Missing Authorization (BAC) to Post Publication
PDF for WPForms Shortcode Execution (BAC)
Photo Slideshow (Responsive) Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC)
PluginPass File Download/Delete (BAC)
Post Meta Data Manager Authentciated Multisite Privilege Escalation (BAC)
Product Import Export for WooCommerce Directory Traversal to Limited File Read (BAC) from download_file Function
publish post email notification Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC)
Quiz Cat Broken Access Control (BAC)
Realteo Authentication Bypass (BAC) from 'do_register_user'
Recapture for WooCommerce Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC)
Resido Missing Authorization (BAC) to Unauthenticated Server-Side Request Forgery (SSRF) and API Key Settings Update (BAC)
Responsive Google Map Broken Access Control (BAC)
RomethemeKit For Elementor Plugin Installation/Activation (BAC) to Remote Code Execution (RCE)
School Management Account Takeover (BAC) and Privilege Escalation (BAC)
School Management Missing Authorization (BAC) to Unauthenticated Post Deletion (BAC)
Search Filter Pro Missing Authorization (BAC) to Private Post Meta Exposure
SecuPress Free Broken Access Control (BAC)
SecuPress Free Broken Access Control (BAC)
Secure Copy Content Protection and Content Locking Missing Authorization (BAC) to Unauthenticated User Email Retrieval from ays_sccp_reports_user_search Function
Sensei LMS Broken Access Control (BAC)
SEO Plugin by Squirrly SEO Broken Access Control (BAC)
Service Finder Booking Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC)
ShareThis Dashboard for Google Analytics Missing Authorization (BAC) to Unauthenticated Feature Deactivation
Shortcode Cleaner Lite Missing Authorization (BAC) to Private Options Export
Shortcodes by United Themes Unauthenticated Shortcode Execution (BAC)
Simple Download Counter File Read (BAC)
Simple Photo Feed Broken Access Control (BAC)
Simply Schedule Appointments Unauthenticated Shortcode Execution (BAC)
SMTP by BestWebSoft File Upload (BAC)
SNORDIAN's H5PxAPIkatchu Broken Access Control (BAC)
So-Called Air Quotes Unauthenticated Shortcode Execution (BAC)
SoJ SoundSlides File Upload (BAC)
Solace Extra File Upload (BAC)
SoundRise Music Options Update (BAC)
sourceplay-navermap Broken Access Control (BAC)
Sparkling Theme Missing Authorization (BAC) to Unauthenticated Plugin Activation/Deactivation (BAC) (BAC)
Specific Content For Mobile Broken Access Control (BAC)
Taxi Booking Manager for WooCommerce Broken Access Control (BAC)
teachPress Cross-Site Request Forgery (CSRF) and Import Delete (BAC)
Terms & Conditions Per Product Broken Access Control (BAC)
Textmetrics Broken Access Control (BAC)
ThemeEgg ToolKit File Upload (BAC)
Tickera Broken Access Control (BAC)
Timetics Broken Access Control (BAC)
Top Bar Broken Access Control (BAC)
Traveler Theme Broken Access Control (BAC)
Traveler Theme Broken Access Control (BAC)
TrustReviews Broken Access Control (BAC)
UiPress lite Missing Authorization (BAC) to Options Update (BAC)
uListing Privilege Escalation (BAC)
Ultimate Auction Missing Authorization (BAC) to Post Deletion (BAC)
Ultimate Dashboard Missing Authorization (BAC) to Plugin Modules Activation/Deactivation (BAC)
Ultimate Video Player Unauthenticated File Download (BAC)
User Registration Unauthenticated Privilege Escalation (BAC)
VidoRev Extensions Missing Authorization (BAC) to Unauthenticated Youtube Video Import
VK Blocks Missing Authorization (BAC) to Private Information Exposure
VW Storefront Theme Missing Authorization (BAC) to Settings Reset
WC Affiliate Missing Authorization (BAC) to Private Information Exposure from wf-export-all
WooMail Missing Authorization (BAC) to SQL Injection (SQLi)
WordPress Awesome Import & Export Plugin - Import & Export WordPress Data Missing Authorization (BAC) to SQL Execution (SQLi) and Privilege Escalation (BAC)
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto Cross-Site Request Forgery (CSRF) and Results Deletion (BAC)
Workreap Theme Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC)
WP01 File Download (BAC)
WPCOM Member Authentication Bypass (BAC) from 'user_phone'
WP Compress – Image Optimizer [All-In-One] Missing Authorization (BAC) from Multiple Functions
WP Crowdfunding Missing Authorization (BAC) to Post Content Download
WPCS Unauthenticated Shortcode Execution (BAC)
WPCS Unauthenticated Shortcode Execution (BAC)
WPC Smart Upsell Funnel for WooCommerce Option Update to Privilege Escalation (BAC)
WP ERP Broken Access Control (BAC)
WpEvently Broken Access Control (BAC)
WP Fast Total Search Broken Access Control (BAC)
WP JobHunt Authentication Bypass (BAC) to Candidate
WP JobHunt Authentication Bypass (BAC)
WP JobHunt Unauthenticated Privilege Escalation (BAC) from Password Reset/Account Takeover (BAC)
WP Online Contract Missing Authorization (BAC) to Unauthenticated Settings Import
WP Performance Pack Broken Access Control (BAC)
WP Real Estate Manager Authentication Bypass (BAC) from Account Takeover (BAC)
WPSchoolPress Missing Authorization (BAC) to User Deletion (BAC)
WPSchoolPress Missing Authorization (BAC) to Privilege Escalation (BAC) from Account Takeover (BAC)
Your Simple SVG Support Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Zass Theme Missing Authorization (BAC) to Demo Import
Z Companion Broken Access Control (BAC)
Zegen Theme Missing Authorization (BAC) to Theme Options Update (BAC)s
WP BAC & WordPress Broken Access Control reported in 2023: 931
WP BAC & WordPress Broken Access Control reported in 2024: 2024
WP BAC & WordPress Broken Access Control reported in 2025: 834
WHO needs managed WP Maintenance? EVERYBODY!

Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC APR 2025: WP Broken Access Control Patch Management.

Security is not a single-task job

Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.

Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.

Related Posts

owlpower.eu