WP BAC DEC 2024
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC DEC 2024 is a -22% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC DEC 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| AccessPress Staple Theme | Arbitrary Plugin Activation (BAC) and DeActivation (BAC) to Remote Code Execution (RCE) |
| Advanced Order Export For WooCommerce | Unauthenticated PHP Object Injection (BAC) |
| Advanced Personalization | PHP Object Injection (BAC) |
| Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One | Broken Access Control (BAC) |
| AI Quiz | Broken Access Control (BAC) |
| Airin Blog Theme | PHP Object Injection (BAC) |
| AJAX Random Posts | PHP Object Injection (BAC) |
| Alphabetical List | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Anonymous Restricted Content | Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure |
| AppPresser | Unauthenticated Privilege Escalation (BAC) from Password Reset |
| Aqua SVG Sprite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Audio Record | Arbitrary File Upload (BAC) |
| B-Banner Slider | Arbitrary File Upload (BAC) |
| Backup and Staging by WP Time Capsule | Unauthenticated Arbitrary File Upload (BAC) |
| Banner System | Privilege Escalation (BAC) |
| Bard Extra | Missing Authorisation (BAC) to Demo Import |
| BasePress Migration Tools | Arbitrary File Upload (BAC) |
| Boat Rental Plugin for WordPress | Arbitrary File Upload (BAC) |
| Booking & Appointment Plugin for WooCommerce | Arbitrary Option Update (BAC) |
| Booking calendar, Appointment Booking System | Unauthenticated Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Buy one click WooCommerce | Missing Authorisation (BAC) to Settings Export (BAC) |
| Buying Buddy IDX CRM | Cross-Site Request Forgery (CSRF) to PHP Object Injection (BAC) |
| CDI | Arbitrary File Upload (BAC) |
| CE21 Suite | Missing Authorisation (BAC) to Unauthenticated Plugin Settings Change (BAC) |
| CF7 Reply Manager | Arbitrary File Upload (BAC) |
| Chatter | Broken Access Control (BAC) |
| Classified Listing | Arbitrary Option Update (BAC) |
| Clone | Unauthenticated PHP Object Injection (BAC) from 'recursive_unserialized_replace' |
| CM Table Of Contents – WordPress TOC Plugin | Settings Reset (BAC) from Cross-Site Request Forgery (CSRF) |
| Combo WP Rewrite Slugs | Settings Change (BAC) |
| Computer Repair Shop | Arbitrary File Upload (BAC) |
| Contact Form by WPForms | Cross-Site Request Forgery (CSRF) to Plugin's Log Deletion (BAC) |
| Contact Page With Google Map | Arbitrary File Deletion (BAC) |
| Contest Gallery | Unauthenticated Arbitrary Password Reset (BAC) to Privilege Escalation (BAC)and Account Takeover (BAC) |
| Convert Docx2post | Arbitrary File Upload (BAC) |
| CSV to html | Arbitrary File Upload (BAC) |
| Customer Reviews for WooCommerce | Missing Authorisation (BAC) to Import Cancellation |
| CYAN Backup | Arbitrary File Download (BAC) |
| Datasets Manager by Arttia Creative | Arbitrary File Upload (BAC) |
| de:branding | Privilege Escalation (BAC) |
| Debug Tool | Unauthenticated Arbitrary File Creation (BAC) |
| Devexhub Gallery | Arbitrary File Upload (BAC) |
| DigiPass | Arbitrary File Download (BAC) |
| Do That Task | Arbitrary File Upload (BAC) |
| Drop Shadow Boxes | Arbitrary Shortcode Execution (BAC) |
| Easy Accordion Gutenberg Block | Broken Access Control (BAC) |
| Easy CSV Importer BETA | Arbitrary File Upload (BAC) |
| EleForms | Missing Authorisation (BAC) |
| Elementor – Header, Footer & Blocks Template | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Elfsight Telegram Chat CC | Missing Authorisation (BAC) to Cross-Site Scripting (XSS) |
| Essential Addons for Elementor | Private Information Exposure to Privilege Escalation (BAC) |
| Exclusive Content Password Protect | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
| External Database Based Actions | Authentication Bypass (BAC) |
| F4 Improvements | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Fediverse Embeds | Arbitrary File Upload (BAC) |
| File Manager Pro | Arbitrary File Upload (BAC) |
| Floating Buttons for WooCommerce | Broken Access Control (BAC) |
| FluentSMTP | Unauthenticated PHP Object Injection (BAC) |
| Forms | Arbitrary File Upload (BAC) |
| Gallerio | Arbitrary File Upload (BAC) |
| GamiPress | Unauthenticated Arbitrary Shortcode Execution (BAC) from gamipress_get_user_earnings |
| GEO my WordPress | Arbitrary File Upload (BAC) |
| Geolocator | PHP Object Injection (BAC) |
| Global Gateway e4 | Payeezy Gateway | | Arbitrary File Deletion (BAC) |
| GPX Viewer | Arbitrary File Creation (BAC) |
| Grid View Gallery | PHP Object Injection (BAC) |
| Grip Theme | Arbitrary Plugin Activation (BAC) and DeActivation (BAC) to Remote Code Execution (RCE) |
| Hacklog DownloadManager | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
| Hash Elements | Missing Authorisation (BAC) to Unauthenticated Draft Post Title Exposure |
| HB AUDIO GALLERY | Arbitrary File Upload (BAC) |
| Heateor Social Login | Authentication Bypass (BAC) |
| Hide Links | Unauthenticated Shortcode Execution (BAC) |
| Hive Support – WordPress Help Desk | Arbitrary File Upload (BAC) |
| Hustle | Missing Authorisation (BAC) to Unauthorized Form Submission |
| Hustle | Missing Authorisation (BAC) to Unpublished Form Exposure |
| Image Alt Text | Missing Authorisation (BAC) to Image Alt Text Update (BAC) |
| Image Classify | Arbitrary File Upload (BAC) |
| InPost Gallery | Arbitrary Shortcode Execution (BAC) from inpost_gallery_get_shortcode_template |
| Instant Image Generator | Arbitrary File Upload (BAC) |
| JetWidgets For Elementor | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Jobify - Job Board WordPress Theme | Broken Access Control (BAC) |
| Jobify - Job Board WordPress Theme | Unauthenticated Arbitrary File Read (BAC) |
| JobSearch | Arbitrary File Upload (BAC) |
| JobSearch | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| JobSearch | Unauthenticated Arbitrary File Upload (BAC) |
| KBucket | Arbitrary File Upload (BAC) |
| kineticPay for WooCommerce | Arbitrary File Upload (BAC) |
| Kognetiks Chatbot for WordPress | Missing Authorisation (BAC) to Assistant Addition (BAC) |
| Kognetiks Chatbot for WordPress | Missing Authorisation (BAC) to Assistant Deletion (BAC) |
| Kognetiks Chatbot for WordPress | Missing Authorisation (BAC) to Assistant Update (BAC) |
| Kognetiks Chatbot for WordPress | Cross-Site Request Forgery (CSRF) to Assistant Modification (BAC) |
| Leopard - WordPress offload media | Missing Authorisation (BAC) to Arbitrary Options Update (BAC) |
| Lis Video Gallery | PHP Object Injection (BAC) |
| Lock User Account | User Lock Bypass (BAC) |
| Loginizer | Authentication Bypass (BAC) |
| Loginizer Security | Authentication Bypass (BAC) |
| LSX Tour Operator | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Luna Web Radio Player | Unauthenticated Arbitrary File Read (BAC) |
| Matix Popup Builder | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| mFolio Lite | Missing Authorisation (BAC) to File Upload (BAC) from EXE and SVG Files |
| MP3 Sticky Player | Unauthenticated Arbitrary File Read (BAC)and Download (BAC) |
| MPG | Directory Traversal to File Deletion (BAC) |
| MultiManager WP | Authentication Bypass (BAC) from User Impersonation |
| Music Player for Elementor – Audio Player & Podcast Player | Missing Authorisation (BAC) to Template Import |
| My Contador lesr | Missing Authorisation (BAC) to Unauthenticated User Registration (BAC) CSV Export (BAC) |
| My Geo Posts Free | PHP Object Injection (BAC) |
| NIX Anti-Spam Light | PHP Object Injection (BAC) |
| Opal Woo Custom Product Variation | Arbitrary File Deletion (BAC) |
| Otter - Gutenberg Block | Broken Access Control (BAC) |
| Otter - Gutenberg Block | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Otter - Gutenberg Block | Unauthenticated Path Traversal (BAC) to Arbitrary Image View |
| Paid Member Subscriptions | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Pathomation | Arbitrary File Upload (BAC) |
| Paytium | Broken Access Control (BAC) |
| Picsmize | Arbitrary File Upload (BAC) |
| Pie Register Premium | Broken Access Control (BAC) |
| Popup box | Missing Authorisation (BAC) to UnauthenticatedOptions Update (BAC) |
| Post From Frontend | Post Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| PostX | Missing Authorisation (BAC) to Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| Product Designer | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Product Input Fields for WooCommerce | Arbitrary File Read (BAC) |
| ProfileGrid | Missing Authorisation (BAC) to Arbitrary User Meta Deletion (BAC) |
| ProfilePress | Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure |
| PublishPress Revisions | Missing Authorisation (BAC) to Private Information Exposure |
| Push Notifications for WordPress by PushAssist | Arbitrary File Upload (BAC) |
| QRMenu Restaurant QR Menu Lite | PHP Object Injection (BAC) |
| Quick Learn | PHP Object Injection (BAC) |
| Rank Math SEO | Arbitrary htaccess Overwrite (BAC) to Remote Code Execution (RCE) |
| Really Simple Security Pro | Account Takeover (BAC) |
| Really Simple Security Pro multisite | Account Takeover (BAC) |
| Really Simple SSL | Account Takeover (BAC) |
| Referrer Detector | PHP Object Injection (BAC) |
| RegistrationMagic | Unauthenticated Privilege Escalation (BAC) from Password Recovery |
| Relais 2FA | Authentication Bypass (BAC) |
| Request a Quote for WooCommerce and Elementor | Unauthenticated Arbitrary Shortcode Execution (BAC) from fire_contact_form |
| Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation | Arbitrary File Upload (BAC) |
| School Management | Unauthenticated Arbitrary File Upload (BAC) |
| Security & Malware scan by CleanTalk | Authorisation Bypass (BAC) from Reverse DNS Spoofing to Unauthenticated SQL Injection (SQLi) |
| Simple Local Avatars | Missing Authorisation (BAC) to User Cache Clearing |
| Sirv | Missing Authorisation (BAC) to Arbitrary Option Deletion (BAC) |
| SK WP Settings Backup | Cross-Site Request Forgery (CSRF) to PHP Object Injection (BAC) |
| Sky Addons for Elementor | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| Sky Addons for Elementor | Missing Authorisation (BAC) to Arbitrary Options Update (BAC) |
| Smart Marketing SMS and Newsletters Forms | Broken Access Control (BAC) |
| Social Login | Authentication Bypass (BAC) |
| Spam protection, AntiSpam, FireWall by CleanTalk | Authorisation Bypass (BAC) from Reverse DNS Spoofing |
| Spam protection, AntiSpam, FireWall by CleanTalk | Authorisation Bypass (BAC) |
| Styler for Ninja Forms | Arbitrary Option Deletion (BAC) from deactivate_license |
| Super Socializer | Authentication Bypass (BAC) |
| Support SVG | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| SVG Block | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| System Dashboard | Path Traversal (BAC) |
| Team Rosters | PHP Object Injection (BAC) |
| Th Shop Mania Theme | Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| The Novel Design Store Directory | Arbitrary File Upload (BAC) |
| Tickera | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Top Store Theme | Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| Tumult Hype Animations | Missing Authorisation (BAC) |
| Tumult Hype Animations | Arbitrary File Upload (BAC) from hypeanimations_panel Function |
| Tutor LMS | User Registration (BAC) Setting Bypass (BAC) to Unauthorized User Registration (BAC) |
| Uix Slideshow | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Ultimate Member | Missing Authorisation (BAC) to Arbitrary User Profile Picture Update (BAC) |
| Ultimate YouTube Video & Shorts Player With Vimeo | Missing Authorisation (BAC) to Arbitrary Playlist and Video Deletion (BAC) |
| Ultimate YouTube Video & Shorts Player With Vimeo | Missing Authorisation (BAC) to Setting Exposure |
| User Extra Fields | Unauthenticated Arbitrary File Upload (BAC) |
| User Extra Fields | Missing Authorisation (BAC) to Privilege Escalation (BAC) |
| User Extra Fields | Unauthenticated Arbitrary File Deletion (BAC) |
| User Management | Arbitrary File Upload (BAC) |
| UserPlus | Privilege Escalation (BAC) |
| Video Gallery for WooCommerce | Missing Authorisation (BAC) to UnauthenticatedFile Deletion (BAC) |
| Wawp | Account Takeover (BAC) |
| WDES Responsive Mobile Menu | PHP Object Injection (BAC) |
| WOLF | CSV Path Traversal (BAC) |
| WooCommerce Product Table Lite | Unauthenticated Arbitrary Shortcode Execution (BAC) & Cross-Site Scripting (XSS) |
| WooCommerce Report | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| WooCommerce Social Login | Authentication Bypass (BAC) |
| WooCommerce Support Ticket System | Unauthenticated Arbitrary File Deletion (BAC) |
| WooCommerce Support Ticket System | Unauthenticated Arbitrary File Upload (BAC) |
| WooCommerce Upload Files | Unauthenticated Arbitrary File Upload (BAC) |
| WOOCS – WooCommerce Currency Switcher | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| WordPress GDPR & CCPA | Missing Authorisation (BAC) to Unauthenticated Arbitrary User Deletion (BAC) |
| WordPress Video Robot - The Ultimate Video Importer | Privilege Escalation (BAC) from User Meta Update (BAC) |
| WP Chat App | Missing Authorisation (BAC) to Filebird Plugin Installation (BAC) |
| WP Log Viewer | Missing Authorisation (BAC) |
| WP Membership | Unauthenticated Arbitrary File Upload (BAC) |
| WP Photo Album Plus | Unauthenticated Arbitrary Shortcode Execution (BAC) from getshortcodedrenderedfenodelay |
| WP Project Manager | Insecure Direct Object Reference (IDOR) to Unauthenticated Authorisation Bypass (BAC) |
| WP Project Manager | Missing Authorisation (BAC) to Project Milestone and Task Creation (BAC)and Deletion |
| WP Quick Setup | Arbitrary Plugin and Theme Installation (BAC) to Remote Code Execution (RCE) |
| WP Travel Engine | Missing Authorisation (BAC) to Plugin Settings Update (BAC) |
| WP User Manager | Missing Authorisation (BAC) to User Meta Key Enumeration |
| WP User Manager | Missing Authorisation (BAC) to Carbon Fields Custom Sidebar Addition (BAC)and Removal |
| WP-Orphanage Extended | Cross-Site Request Forgery (CSRF) to Orphan Account Privilege Escalation (BAC) |
| WPB Popup for Contact Form 7 | Unauthenticated Arbitrary Shortcode Execution (BAC) from wpb_pcf_fire_contact_form |
| WPDash Notes | Missing Authorisation (BAC) to Private Information Exposure |
| WPGYM | Missing Authorisation (BAC) to Privilege Escalation (BAC) |
| WPGYM | Unauthenticated Arbitrary File Upload (BAC) |
| WPLMS Theme | Unauthenticated Arbitrary File Read (BAC) and Deletion (BAC) |
| WPvivid Backup and Migration | Unauthenticated PHP Object Injection (BAC) |
| Writer Helper | Arbitrary File Upload (BAC) |
| Xin Theme | PHP Object Injection (BAC) |
| Xpresslane Fast Checkout | PHP Object Injection (BAC) |
| XT Floating Cart for WooCommerce | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Yaad Sarig Payment Gateway For WC | Missing Authorisation (BAC) to Log Read (BAC)and Deletion |
| Zotpress | Missing Authorisation (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 1805 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC DEC 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) Vulnerability reports (monthly) owlpower services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) Vulnerability reports (monthly) owlpower services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) Vulnerability reports (monthly) owlpower services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) Vulnerability reports (monthly) owlpower services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and…
We’re passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.
