WP BAC APR 2025
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC APR 2025 is a +8% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC APR 2025: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| Admin and Site Enhancements (ASE) | Limit Login Attempt Bypass (BAC) from IP Spoofing |
| Administrator Z | Missing Authorization (BAC) to Options Update (BAC) |
| Ads by WPQuads | Broken Access Control (BAC) |
| Advanced Dewplayer | Broken Access Control (BAC) |
| Advanced File Manager | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Advanced iFrame | Unauthenticated Settings Update (BAC) |
| Aiomatic | Missing Authorization (BAC) to Multiple Administrator Actions |
| Aiomatic | Missing Authorization (BAC) to File Upload (BAC) |
| Altair Theme | Unauthenticated Options Update (BAC) from pp_import_current |
| Amazing service box Addons For WPBakery Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Analytify | Private Settings Change (BAC) |
| Animation Addons for Elementor Pro | Missing Authorization (BAC) to Plugin Installation/Activation (BAC) |
| Ayyash Studio | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| bbPress | Cross-Site Request Forgery (CSRF) and Limited Privilege Escalation (BAC) |
| Big Store Theme | Broken Access Control (BAC) |
| Bit Assist | Path Traversal (BAC) |
| Bitspecter Suite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Block Spam By Math Reloaded | Broken Access Control (BAC) |
| BoomBox Theme Extensions | Privilege Escalation (BAC) from Password Reset/Account Takeover (BAC) in boombox_ajax_reset_password |
| BP Email Assign Templates | Content Deletion (BAC) |
| BWL Advanced FAQ Manager | Missing Authorization (BAC) to Limited Options Update (BAC) |
| Chatbox Manager | Broken Access Control (BAC) |
| cits-support-svg-webp-media-upload | Cross-Site Request Forgery (CSRF) and Font Assignment Deletion (BAC) |
| Civi Theme | Authentication Bypass (BAC) from Non-Randomized Password for SSO Accounts |
| Civi Theme | Authentication Bypass (BAC) from Password Update |
| Clear Sucuri Cache | Broken Access Control (BAC) |
| CM Download Manager | File Deletion (BAC) |
| Code Snippets CPT | Shortcode Execution (BAC) |
| Content Control | Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure |
| Conversiosio | Broken Access Control (BAC) |
| Cookiebot | Missing Authorization (BAC) to Survey Submission |
| Cool Author Box | Broken Access Control (BAC) |
| CozyStay Theme | Missing Authorization (BAC) to Action Execution (BAC) in ajax_handler |
| CRM and Lead Management by vcita | Missing Authorization (BAC) to Widget Toggle |
| CS Framework | File Deletion (BAC) |
| CS Framework | File Read (BAC) |
| CSV to Responsive Tables | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| DesignThemes Core Features | Missing Authorization (BAC) to Unauthenticated File Read (BAC) from dt_process_imported_file |
| Directorist | Missing Authorization (BAC) to Unauthenticated Post Publishing |
| Download Manager | Path Traversal (BAC) to Limited File Overwrite |
| Drag and Drop Multiple File Upload (BAC) – Contact Form 7 | Unauthenticated File Deletion (BAC) |
| Drag and Drop Multiple File Upload (BAC) – Contact Form 7 | Unauthenticated PHP Object Injection (RCE) from PHAR to File Deletion (BAC) |
| WordPress Eco Nature - Environment & Ecology WordPress theme | Missing Authorization (BAC) to Limited Options Update (BAC) |
| Edd Google Sheet Connector Pro | Cross-Site Request Forgery (CSRF) and Access Code Update (BAC) |
| Eventin | Missing Authorization (BAC) to Unauthenticated Payment Status Update (BAC) |
| EventPrime | Missing Authorization (BAC) to Private Event Attendees Export |
| Event Tickets with Ticket Scanner | Tickets Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| Exchange Rates | Broken Access Control (BAC) |
| External image replace | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| File Away | Missing Authorization (BAC) to Unauthenticated File Read (BAC) |
| File Away | Missing Authorization (BAC) to Unauthenticated File Upload (BAC) from upload Function |
| Five Star Restaurant Reservations | Broken Access Control (BAC) |
| Flex Mag Theme | Missing Authorization (BAC) to Option Deletion (BAC) |
| Flipdish Ordering System | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| Float menu | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| FluentForm | IP-Spoofing (BAC) |
| FoodBakery | Missing Authorization (BAC) in Multiple Functions |
| FooGallery | Insecure Direct Object Reference (IDOR) to Post/Page Updates (BAC) |
| Football Pool | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| GetShop ecommerce | Path Traversal (BAC) |
| GiveWP | Missing Authorization (BAC) to Unauthenticated Earning Reports Private Disclosure from give_reports_earnings Function |
| Golo Theme | Missing Authorization (BAC) to Privilege Escalation (BAC) from Unauthenticated User Password Change |
| Google Sheet Connector for Easy Digital Downloads | Cross-Site Request Forgery (CSRF) and Access Code Update (BAC) |
| Greek Multi Tool – Fix peralinks, accents, auto create menus and more | Broken Access Control (BAC) |
| GS Logo Slider | Unauthenticated Shortcode Execution (BAC) |
| WordPress Hero Mega Menu - Responsive WordPress Menu Plugin | Missing Authorization (BAC) to Directory Deletion (BAC) |
| Homey Theme | Unauthenticated Privilege Escalation (BAC) in homey_save_profile |
| Homey Theme | Limited Authentication Bypass (BAC) due to Missing Empty Value Check |
| Image Captcha | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| Image Slider / Slideshow Pearlbells | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| Import Export WordPress Users | Directory Traversal to Limited File Deletion (BAC) from admin_log_page Function |
| Import Export WordPress Users | Directory Traversal to Limited File Read (BAC) from download_file Function |
| Industrial Theme | Missing Authorization (BAC) to Options Update (BAC) |
| Inline Image Upload for BBPress | File Upload (BAC) |
| Instant Appointment | Unauthenticated File Upload (BAC) |
| InWave Jobs | Unauthenticated Privilege Escalation (BAC) from Password Reset |
| IP Based Login | Log Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| Javo Core | Unauthenticated Privilege Escalation (BAC) in ajax_signup |
| JobCareer Theme | Missing Authorization (BAC) to Multiple Administrative Actions |
| Jobs for WordPress | File Read (BAC) |
| JS Help Desk | File Download (BAC) |
| JS Help Desk | File Deletion (BAC) |
| JS Help Desk | Broken Access Control (BAC) |
| Just Writing Statistics | Broken Access Control (BAC) |
| King Addons for Elementor | Broken Access Control (BAC) |
| Lafka Theme | Missing Authorization (BAC) to Demo Import |
| LearnPress | Broken Access Control (BAC) |
| LifterLMS | Missing Authorization (BAC) to Unauthenticated Post Trashing |
| Listingo Theme | Unauthenticated Shortcode Execution (BAC) |
| Live Forms | Private Settings Change (BAC) |
| LoginPress | Cross-Site Request Forgery (CSRF) and Options Update (BAC) |
| Material Dashboard | Privilege Escalation (BAC) |
| Menu Duplicator | Broken Access Control (BAC) |
| miniOrange Social Login and Register Pro Addon | Authentication Bypass (BAC) |
| MorningTime Lite Theme | Cross-Site Scripting (XSS)Remote Code Execution (BAC) |
| Moving Media Library | Directory Traversal to File Deletion (BAC) |
| Music Press Pro | Broken Access Control (BAC) |
| Newscrunch Theme | File Upload (BAC) |
| Newscrunch Theme | Cross-Site Request Forgery (CSRF) and File Upload (BAC) |
| Order Export & Order Import for WooCommerce | Directory Traversal to Limited File Deletion (BAC) from admin_log_page Function |
| Order Export & Order Import for WooCommerce | Directory Traversal to Limited File Read (BAC) from download_file Function |
| PageLayer | Missing Authorization (BAC) to Post Publication |
| PDF for WPForms | Shortcode Execution (BAC) |
| Photo Slideshow (Responsive) | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| PluginPass | File Download/Delete (BAC) |
| Post Meta Data Manager | Authentciated Multisite Privilege Escalation (BAC) |
| Product Import Export for WooCommerce | Directory Traversal to Limited File Read (BAC) from download_file Function |
| publish post email notification | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| Quiz Cat | Broken Access Control (BAC) |
| Realteo | Authentication Bypass (BAC) from 'do_register_user' |
| Recapture for WooCommerce | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| Resido | Missing Authorization (BAC) to Unauthenticated Server-Side Request Forgery (SSRF) and API Key Settings Update (BAC) |
| Responsive Google Map | Broken Access Control (BAC) |
| RomethemeKit For Elementor | Plugin Installation/Activation (BAC) to Remote Code Execution (RCE) |
| School Management | Account Takeover (BAC) and Privilege Escalation (BAC) |
| School Management | Missing Authorization (BAC) to Unauthenticated Post Deletion (BAC) |
| Search Filter Pro | Missing Authorization (BAC) to Private Post Meta Exposure |
| SecuPress Free | Broken Access Control (BAC) |
| SecuPress Free | Broken Access Control (BAC) |
| Secure Copy Content Protection and Content Locking | Missing Authorization (BAC) to Unauthenticated User Email Retrieval from ays_sccp_reports_user_search Function |
| Sensei LMS | Broken Access Control (BAC) |
| SEO Plugin by Squirrly SEO | Broken Access Control (BAC) |
| Service Finder Booking | Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC) |
| ShareThis Dashboard for Google Analytics | Missing Authorization (BAC) to Unauthenticated Feature Deactivation |
| Shortcode Cleaner Lite | Missing Authorization (BAC) to Private Options Export |
| Shortcodes by United Themes | Unauthenticated Shortcode Execution (BAC) |
| Simple Download Counter | File Read (BAC) |
| Simple Photo Feed | Broken Access Control (BAC) |
| Simply Schedule Appointments | Unauthenticated Shortcode Execution (BAC) |
| SMTP by BestWebSoft | File Upload (BAC) |
| SNORDIAN's H5PxAPIkatchu | Broken Access Control (BAC) |
| So-Called Air Quotes | Unauthenticated Shortcode Execution (BAC) |
| SoJ SoundSlides | File Upload (BAC) |
| Solace Extra | File Upload (BAC) |
| SoundRise Music | Options Update (BAC) |
| sourceplay-navermap | Broken Access Control (BAC) |
| Sparkling Theme | Missing Authorization (BAC) to Unauthenticated Plugin Activation/Deactivation (BAC) (BAC) |
| Specific Content For Mobile | Broken Access Control (BAC) |
| Taxi Booking Manager for WooCommerce | Broken Access Control (BAC) |
| teachPress | Cross-Site Request Forgery (CSRF) and Import Delete (BAC) |
| Terms & Conditions Per Product | Broken Access Control (BAC) |
| Textmetrics | Broken Access Control (BAC) |
| ThemeEgg ToolKit | File Upload (BAC) |
| Tickera | Broken Access Control (BAC) |
| Timetics | Broken Access Control (BAC) |
| Top Bar | Broken Access Control (BAC) |
| Traveler Theme | Broken Access Control (BAC) |
| Traveler Theme | Broken Access Control (BAC) |
| TrustReviews | Broken Access Control (BAC) |
| UiPress lite | Missing Authorization (BAC) to Options Update (BAC) |
| uListing | Privilege Escalation (BAC) |
| Ultimate Auction | Missing Authorization (BAC) to Post Deletion (BAC) |
| Ultimate Dashboard | Missing Authorization (BAC) to Plugin Modules Activation/Deactivation (BAC) |
| Ultimate Video Player | Unauthenticated File Download (BAC) |
| User Registration | Unauthenticated Privilege Escalation (BAC) |
| VidoRev Extensions | Missing Authorization (BAC) to Unauthenticated Youtube Video Import |
| VK Blocks | Missing Authorization (BAC) to Private Information Exposure |
| VW Storefront Theme | Missing Authorization (BAC) to Settings Reset |
| WC Affiliate | Missing Authorization (BAC) to Private Information Exposure from wf-export-all |
| WooMail | Missing Authorization (BAC) to SQL Injection (SQLi) |
| WordPress Awesome Import & Export Plugin - Import & Export WordPress Data | Missing Authorization (BAC) to SQL Execution (SQLi) and Privilege Escalation (BAC) |
| WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto | Cross-Site Request Forgery (CSRF) and Results Deletion (BAC) |
| Workreap Theme | Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC) |
| WP01 | File Download (BAC) |
| WPCOM Member | Authentication Bypass (BAC) from 'user_phone' |
| WP Compress – Image Optimizer [All-In-One] | Missing Authorization (BAC) from Multiple Functions |
| WP Crowdfunding | Missing Authorization (BAC) to Post Content Download |
| WPCS | Unauthenticated Shortcode Execution (BAC) |
| WPCS | Unauthenticated Shortcode Execution (BAC) |
| WPC Smart Upsell Funnel for WooCommerce | Option Update to Privilege Escalation (BAC) |
| WP ERP | Broken Access Control (BAC) |
| WpEvently | Broken Access Control (BAC) |
| WP Fast Total Search | Broken Access Control (BAC) |
| WP JobHunt | Authentication Bypass (BAC) to Candidate |
| WP JobHunt | Authentication Bypass (BAC) |
| WP JobHunt | Unauthenticated Privilege Escalation (BAC) from Password Reset/Account Takeover (BAC) |
| WP Online Contract | Missing Authorization (BAC) to Unauthenticated Settings Import |
| WP Performance Pack | Broken Access Control (BAC) |
| WP Real Estate Manager | Authentication Bypass (BAC) from Account Takeover (BAC) |
| WPSchoolPress | Missing Authorization (BAC) to User Deletion (BAC) |
| WPSchoolPress | Missing Authorization (BAC) to Privilege Escalation (BAC) from Account Takeover (BAC) |
| Your Simple SVG Support | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Zass Theme | Missing Authorization (BAC) to Demo Import |
| Z Companion | Broken Access Control (BAC) |
| Zegen Theme | Missing Authorization (BAC) to Theme Options Update (BAC)s |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 2024 |
| WP BAC & WordPress Broken Access Control reported in 2025: | 834 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC APR 2025: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
