WP BAC AUG 2024
WP Broken Access Control
Tailored WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC AUG 2024 is a +6% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for tailored WP Security.
WHO needs tailored WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC AUG 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
Academy LMS | Broken Access Control (BAC) |
Add Admin CSS | Unauthenticated Full Path Disclosure (BAC) |
Add Admin JavaScript | Unauthenticated Full Path Disclosure (BAC) |
Addonify | Unauthenticated Full Path Disclosure (BAC) |
Admin Post Navigation | Unauthenticated Full Path Disclosure (BAC) |
Admin Trim Interface | Unauthenticated Full Path Disclosure (BAC) |
Advanced AJAX Page Loader | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
Affiliate Manager | Profile Update (BAC) via Cross-Site Request Forgery (CSRF) |
Affiliate Manager | Affiliate Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
AForms | Unauthenticated Full Path Disclosure (BAC) |
AMP for WP | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Aramex Shipping WooCommerce | Unauthenticated Full Path Disclosure (BAC) |
Arconix FAQ | Broken Access Control (BAC) |
Arconix Shortcodes | Broken Access Control (BAC) |
ArtPlacer Widget | Arbitrary Widget Deletion (BAC) |
Atarim | Broken Access Control (BAC) |
aThemes Starter Sites | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Attachment File Icons | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
Auto Featured Image (Auto Post Thumbnail) | Broken Access Control (BAC) |
Backup and Staging by WP Time Capsule | Authentication Bypass and Privilege Escalation (BAC) |
Bakes And Cakes Theme | Broken Access Control (BAC) on Notice Dismissal |
Bit Form – Contact Form Plugin | Arbitrary File Upload (BAC) |
BookingPress | Arbitrary File Read to Arbitrary File Creation (BAC) |
BookingPress | Missing Authorization (BAC) to Arbitrary Options Update (BAC) and Arbitrary File Upload (BAC) |
Booking Ultra Pro | Missing Authorization (BAC) to Plugin Settings Updates (BAC) |
BookYourTravel Theme | Privilege Escalation (BAC) |
Branda | Unauthenticated Full Path Disclosure (BAC) |
Brizy – Page Builder | Arbitrary File Upload (BAC) |
Brizy – Page Builder | Missing Authorization (BAC) to Post Modification (BAC) |
Business Card | File Upload (BAC) |
Business One Page Theme | Broken Access Control (BAC) on Notice Dismissal |
Campaign Monitor for WordPress | Unauthenticated Full Path Disclosure (BAC) |
Chained Quiz | Broken Access Control (BAC) |
Charitable | Broken Access Control (BAC) |
Church Admin | Arbitrary File Upload (BAC) |
CM On Demand Search And Replace | Plugin Reset (BAC) via Cross-Site Request Forgery (CSRF) |
Comment Images Reloaded | Arbitrary Media Deletion (BAC) |
Community Events | Event Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
Conditional Fields for Contact Form | Cross-Site Request Forgery (CSRF) to Plugin Setting Reset (BAC) |
Cost Calculator Builder | Missing Authorization (BAC) to Arbitrary Content Creation (BAC) |
CRM Perks Forms | Broken Access Control (BAC) |
CTX Feed | Arbitrary Options Update (BAC) |
Custom Query Blocks | Broken Access Control (BAC) |
Default Thumbnail Plus | Arbitrary File Upload (BAC) |
Duplica | Missing Authorization (BAC) to Users/Posts Duplicates Creation (BAC) |
Duplicator | Full Path Disclosure (BAC) |
EazyDocs | Broken Access Control (BAC) |
EleForms | Broken Access Control (BAC) |
Email Subscribers & Newsletters | Missing Authorization (BAC) |
EmbedPress | Broken Access Control (BAC) |
Eventin | Missing Authorization (BAC) to Event Data Import |
EventON | Missing Authorization (BAC) to Unauthenticated Cross-Site Scripting (XSS) and Plugin Settings Updates (BAC) |
Featured Image from URL | Broken Access Control (BAC) |
Featured Image Generator | Missing Authorization (BAC) to Images Upload (BAC) |
File Manager Advanced Shortcode | Arbitrary File Upload (BAC) |
Funnel Builder for WordPress by FunnelKit | Cross-Site Scripting (XSS) via SVG Upload (BAC) |
Funnel Builder for WordPress by FunnelKit | Missing Authorization (BAC) to Settings Update (BAC) |
Generate PDF using Contact Form | Cross-Site Request Forgery (CSRF) to Arbitrary File Deletion (BAC) |
Generate PDF using Contact Form | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
Get Better Reviews for WooCommerce | Broken Access Control (BAC) |
Glossary | Unauthenticated Full Path Disclosure (BAC) |
Gravity Forms: Multiple Form Instances | Unauthenticated Full Path Disclosure (BAC) |
Hide My WP Ghost | Hidden Login Page Disclosure (BAC) |
IgnitionDeck | Missing Authorization (BAC) |
IMGspider | Arbitrary File Upload (BAC) |
Import Spreadsheets from Microsoft Excel | Arbitrary File Upload (BAC) |
Insert or Embed Articulate Content into WordPress | Arbitrary File Upload (BAC) |
Intelligence | Unauthenticated Full Path Disclosure (BAC) |
iPanorama 3 WordPress Virtual Tour Builder | Broken Access Control (BAC) |
IQ Testimonials | Unauthenticated Arbitrary File Upload (BAC) |
JetThemeCore | Arbitrary File Deletion (BAC) |
Jobmonster Theme | Unauthenticated Arbitrary File Deletion (BAC) |
Jobmonster Theme | Unauthenticated Privilege Escalation (BAC) |
JSON API User | Unauthenticated Privilege Escalation (BAC) |
Just Custom Fields | Missing Authorization (BAC) via AJAX actions |
Keydatas | Unauthenticated Arbitrary File Upload (BAC) |
Language Translate Widget for WordPress – ConveyThis | Nonarbitrary Options Update (BAC) |
Laposta | Unauthenticated Full Path Disclosure (BAC) |
LearnDash LMS – Reports | Missing Authorization (BAC) to Plugin Settings Update (BAC) |
LearnPress | Missing Authorization (BAC) to Unauthenticated User Registration Bypass |
Light Poll | Poll Answers Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
MasterStudy LMS | Privilege Escalation (BAC) to Instructor |
MaxiBlocks | Arbitrary File Deletion (BAC) |
Media Hygiene | Missing Authorization (BAC) to Arbitrary Attachment Deletion (BAC) |
Media.net Ads Manager | Missing Authorization (BAC) to Arbitrary File Upload (BAC) |
Meks Video Importer | Broken Access Control (BAC) |
Metro Magazine Theme | Broken Access Control (BAC) on Notice Dismissal |
Modern Events Calendar | Arbitrary File Upload (BAC) |
Modern Events Calendar Lite | Arbitrary File Upload (BAC) |
Motors – Car Dealer & Classified Ads | Missing Authorization (BAC) |
Newsmatic Theme | Broken Access Control (BAC) |
Newspack Content Converter | Broken Access Control (BAC) |
Newspack Newsletters | Broken Access Control (BAC) |
Noptin | Broken Access Control (BAC) |
One Click Close Comments | Unauthenticated Full Path Disclosure (BAC) |
One Click Order ReOrder | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
Optimize images ALT Text (alt tag) & names for SEO using AI | Unauthenticated Full Path Disclosure (BAC) |
Packlink PRO shipping module | Broken Access Control (BAC) |
Pardakht Delkhah | Form Fields Reset (BAC) via Cross-Site Request Forgery (CSRF) |
Payflex Payment Gateway | Missing Authorization (BAC) to Order Status Update |
Pie Register | Missing Authorization (BAC) to Arbitrary Plugin Installation and Activation/Deactivation |
Plum: Spin Wheel & Email Popup | Broken Access Control (BAC) |
Plum: Spin Wheel & Email Popup | Broken Access Control (BAC) to Unauthenticated Cross-Site Scripting (XSS) |
PowerPack for Beaver Builder | Privilege Escalation (BAC) |
PowerPack Pro for Elementor | Privilege Escalation (BAC) |
Pricing Table | Missing Authorization (BAC) |
Product Delivery Date for WooCommerce – Lite | Broken Access Control (BAC) |
Product Designer | Arbitrary Content Deletion (BAC) |
Product Designer | Missing Authorization (BAC) to Unauthenticated Arbitrary Attachment Deletion (BAC) |
Profile Builder | Unauthenticated Media Upload (BAC) |
ProfileGrid | Broken Access Control (BAC) |
ProfileGrid | Privilege Escalation (BAC) |
Quotes And Tips | Arbitrary File Upload (BAC) |
Realtyna Organic IDX plugin | Arbitrary File Upload (BAC) |
ReDi Restaurant Reservation | Broken Access Control (BAC) |
Redux Framework | Unauthenticated JSON File Upload (BAC) to Cross-Site Scripting (XSS) |
Responsive Image Gallery, Gallery Album | Broken Access Control (BAC) |
SchedulePress | Unauthenticated Full Path Disclosure (BAC) |
ScrollTo Bottom | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
ScrollTo Top | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
Seraphinite Accelerator (Full, premium) | Cross-Site Request Forgery (CSRF) Leading to Arbitrary File Deletion (BAC) |
Seraphinite Post .DOCX Source | Broken Access Control (BAC) |
Simple Photoswipe | Arbitrary Settings Update (BAC) |
Sirv | Missing Authorization (BAC) to Plugin Settings Update (BAC) |
SiteGround Security | Broken Access Control (BAC) |
SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer | Unauthenticated Full Path Disclosure (BAC) |
Social Auto Poster | Arbitrary File Upload (BAC) |
Social Auto Poster | Missing Authorization (BAC) to Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template |
Social Auto Poster | Missing Authorization (BAC) to Unauthenticated Arbitrary Post Deletion (BAC) |
Social Auto Poster | Missing Authorization (BAC) via Multiple Functions |
Spectra | Broken Access Control (BAC) |
SULly | Plugin Reset (BAC) via Cross-Site Request Forgery (CSRF) |
Support SVG | Cross-Site Scripting (XSS) via SVG Upload (BAC) |
SVG Block | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Tainacan | Missing Authorization (BAC) to Arbitrary File Read |
The Post Grid | Broken Access Control (BAC) |
Titan Antispam & Security | Broken Access Control (BAC) |
Tutor LMS – Migration Tool | Missing Authorization (BAC) in tutor_lp_export_xml and tutor_import_from_xml |
Ultimate Addons for Elementor | Privilege Escalation (BAC) |
Ultimate Auction | Missing Authorization (BAC) to Unauthenticated Email Creation (BAC) |
User Activity Log Pro | Multiple Broken Access Control (BAC) |
Web and WooCommerce Addons for WPBakery Builder | Missing Authorization (BAC) to Plugin Settings Modification (BAC) |
Wholesale Suite | Broken Access Control (BAC) |
Woffice Core | Unauthenticated Broken Access Control (BAC) |
Woocommerce OpenPos | Unauthenticated Arbitrary File Deletion (BAC) |
WooCommerce Product Table Lite | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
WordPress Cliengo Chatbot plugin | Missing Authorization (BAC) to Authorized Chatbot Settings Update (BAC) |
WordPress Cliengo Chatbot plugin | Missing Authorization (BAC) to Unauthenticated Chatbot Settings Update (BAC) |
WordPress Form Builder Plugin – Gutenberg Forms | Unauthenticated Arbitrary File Upload (BAC) |
WordPress Happy SCSS Compiler Compile SCSS to CSS automatically plugin | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
WP Accessibility Helper (WAH) | Broken Access Control (BAC) |
WP Ajax Contact Form | Arbitrary Email Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
WP EasyPay | Missing Authorization (BAC) to Unauthenticated Service Disconnection |
WP eMember | Arbitrary File Upload (BAC) |
WP eStore | Coupon Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
WP Fast Total Search | Broken Access Control (BAC) |
WPForms User Registration | Privilege Escalation (BAC) |
WP GoToWebinar | Broken Access Control (BAC) |
WP Links Page | Missing Authorization (BAC) to Limited Image Update |
WP Meteor Page Speed Optimization Topping | Unauthenticated Full Path Disclosure (BAC) |
WP Mobile Menu | Missing Authorization (BAC) to _mobmenu_icon Post Meta Modification (BAC) |
WP Popups | Unauthenticated Full Path Disclosure (BAC) |
WP QuickLaTeX | Cross-Site Scripting (XSS) in Background Color field |
WP RSS Aggregator | Missing Authorization (BAC) to Feed State Update |
WPS Hide Login | Hidden Login Page Disclosure (BAC) |
WP User Switch | Privilege Escalation (BAC) |
XCloner Backup, Restore and Migrate | Unauthenticated Full Path Disclosure (BAC) |
XPlainer WooCommerce Product FAQ | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
XPlainer WooCommerce Product FAQ | Missing Authorization (BAC) to Settings Update (BAC) |
YITH Essential Kit for WooCommerce #1 | Missing Authorization (BAC) to Limited Plugin Install, Activation, and Deactivation |
Youzify | Broken Access Control (BAC) |
Zephyr Project Manager | Privilege Escalation (BAC) |
WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
WP BAC & WordPress Broken Access Control reported in 2024: | 1063 |
WHO needs tailored WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC AUG 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need tailored WP Security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.