WP BAC JAN 2025
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JAN 2025 is a +7% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC JAN 2025: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| 3DPrint Lite | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| ACF City Selector | Arbitrary File Upload (BAC) |
| Active Products Tables for WooCommerce | Unauthenticated Arbitrary Shortcode Execution (BAC) from woot_get_smth |
| AdForest | Authentication Bypass (BAC) |
| Advanced File Manager | Arbitrary File Upload (BAC) |
| Advance Menu Manager | Settings Change (BAC) |
| Agency Toolkit | Privilege Escalation (BAC) |
| AI Magic | Privilege Escalation (BAC) |
| AIO Contact | Unauthenticated Plugin Settings Change (BAC) |
| AI Post Generator | AutoWriter | Missing Authorisation (BAC) to Post/Page Deletion (BAC) |
| AI Quiz | Missing Authorisation (BAC) to Arbitrary Options Update (BAC) |
| Analytify | Broken Access Control (BAC) |
| Arabic Webfonts | Broken Access Control (BAC) |
| Arena.IM – Live Blogging for real-time events | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
| ARForms | Arbitrary File Read (BAC) |
| ARForms | Plugin Settings Change (BAC) |
| AR For WordPress | Missing Authorisation (BAC) to Unauthenticated Limited File Upload (BAC) |
| ARMember | Arbitrary Shortcode Execution (BAC) |
| Ashe Extra | Broken Access Control (BAC) |
| Authors List | Unauthenticated Arbitrary Shortcode Execution (BAC) from Update (BAC)_authors_list_ajax |
| Awesome Support | Broken Access Control (BAC) |
| AyeCode Connect | Broken Access Control (BAC) |
| Banner System | Broken Access Control (BAC) |
| Biagiotti Membership | Authentication Bypass (BAC) from biagiotti_membership_check_facebook_user |
| Bit Form – Contact Form Plugin | Missing Authorisation (BAC) to Form Submission Private Data Disclosure |
| Bold Page Builder | Path Traversal (BAC) |
| Button Block | Post Private Data Disclosure from Post Duplication (BAC) |
| Caldera SMTP Mailer | Broken Access Control (BAC) |
| Car Dealer | Broken Access Control (BAC) |
| CE21 Suite | Privilege Escalation (BAC) |
| Church Admin | Broken Access Control (BAC) |
| CLUEVO LMS, E-Learning Platform | Cross-Site Request Forgery (CSRF) to Module Deletion (BAC) |
| CM Answers | Broken Access Control (BAC) |
| Computer Repair Shop | Account Takeover (BAC) |
| Computer Repair Shop | Missing Authorisation (BAC) to Account Takeover (BAC) + Privilege Escalation (BAC) |
| Contact Form by WPForms | Missing Authorisation (BAC) to Payment Refund and Subscription Cancellation |
| Contact Form, Survey & Form Builder – MightyForms | Broken Access Control (BAC) |
| CoSchool LMS | Account Takeover (BAC) |
| Cost Calculator Builder | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Coupon Affiliates | Unauthenticated Arbitrary Shortcode Execution (BAC) and Cross-Site Scripting (XSS) |
| Crafthemes Demo Import Theme | Arbitrary File Upload (BAC) in process_uploaded_files |
| Custom Skins Contact Form 7 | Missing Authorisation (BAC) to Arbitrary Post Update (BAC) and Skin Creation |
| Database Backup | Arbitrary File Read (BAC) |
| Data Tables Generator by Supsystic | Broken Access Control (BAC) |
| DELUCKS SEO | Arbitrary File Download (BAC) |
| DN Shipping by Weight for WooCommerce | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Download Manager | Broken Access Control (BAC) |
| Download Manager | Improper Authorisation (BAC) to Unauthenticated Download of Password Protected Files + Private Data |
| Download Manager | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Dreamfox Media Payment gateway per Product for Woocommerce | Broken Access Control (BAC) |
| Easy Blocks pro | Broken Access Control (BAC) |
| Easy Digital Downloads | Improper Authorisation (BAC) to Paywall Bypass (BAC) |
| Easy Digital Downloads | Arbitrary File Download (BAC) |
| Easy Site Importer | Settings Change (BAC) |
| EditionGuard for WooCommerce – eBook Sales with DRM | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| eewee admin custom | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| Eleblog – Elementor Blog And Magazine Addons | Missing Authorisation (BAC) to Deactivation Submission |
| Element Pack Elementor Addons | Missing Authorisation (BAC) |
| ELEX WooCommerce Dynamic Pricing and Discounts | Missing Authorisation (BAC) |
| Essential Real Estate | Missing Authorisation (BAC) to Information Exposure |
| Event Tickets with Ticket Scanner | Missing Authorisation (BAC) to Cross-Site Scripting (XSS) |
| Eyewear prescription form | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| Falcon – WordPress Optimizations & Tweaks | Broken Access Control (BAC) |
| Filebird | Broken Access Control (BAC) |
| File Manager Pro | Missing Authorisation (BAC) to Filebird Plugin Installation (BAC) |
| Firebase OTP Authentication | Account Takeover (BAC) |
| Flash News / Post (Responsive) | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| Floating Action Buttons | Broken Access Control (BAC) |
| FloristPress | Broken Access Control (BAC) |
| FloristPress | Nonce Leakage to Broken Access Control (BAC) |
| FooGallery Premium | Directory Traversal (BAC) |
| Friends | Missing Authorisation (BAC) |
| Gaga Lite Theme | Arbitrary Plugin Activation (BAC) and Deactivation (BAC) to Remote Code Execution (RCE) |
| gap-hub-user-role | Cross-Site Request Forgery (CSRF) to Broken Authentication (BAC) |
| GEO my WordPress | Broken Access Control (BAC) |
| GitSync | Cross-Site Request Forgery (CSRF) to Remote Code Execution (BAC) |
| Gold Addons for Elementor | Missing Authorisation (BAC) to License Activation (BAC) and Deactivation (BAC) |
| Gou Manage My Account Menu | Broken Access Control (BAC) |
| Grid Plus | Unauthenticated Arbitrary Shortcode Execution (BAC) from grid_plus_load_by_category |
| Hash Form | Missing Authorisation (BAC) to Form Style Creation |
| HQ Rental Software | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| If Menu | Missing Authorisation (BAC) to License Key Update (BAC) |
| Import Export For WooCommerce | Arbitrary File Upload (BAC) |
| Insertify | Cross-Site Request Forgery (CSRF) to Remote Code Execution (BAC) |
| Job Board Manager | Broken Access Control (BAC) |
| KH Easy User Settings | Privilege Escalation (BAC) |
| kk Star Ratings | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Knowledge Base documentation & wiki plugin – BasePress | Missing Authorisation (BAC) to Database Update (BAC) |
| Ksher | Broken Access Control (BAC) |
| Leader | Broken Access Control (BAC) |
| LifterLMS | Missing Authorisation (BAC) to Arbitrary Post Deletion (BAC) |
| ListApp Mobile Manager | Account Takeover (BAC) |
| Login Page Styler | Missing Authorisation (BAC) to Privilege Escalation (BAC) |
| Login With OTP | Authentication Bypass (BAC) from Weak OTP |
| Maintenance & Coming Soon Redirect Animation | Missing Authorisation (BAC) to Settings Update (BAC) |
| MainWP Child | Missing Authorisation (BAC) to Unauthenticated Privilege Escalation (BAC) |
| MarketKing | Missing Authorisation (BAC) |
| Mark New Posts | Broken Access Control (BAC) |
| Maspik – Spam blacklist | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
| Member Directory and Contact Form | Broken Access Control (BAC) |
| Memberful | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Members | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Message Filter for Contact Form 7 | Broken Access Control (BAC) |
| Message Filter for Contact Form 7 | Missing Authorisation (BAC) to Filter Updates (BAC)/Deletions |
| Minimum and Maximum Quantity for WooCommerce | Broken Access Control (BAC) |
| Minterpress | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| MP3 Audio Player for Music, Radio & Podcast by Sonaar | Broken Access Control (BAC) |
| MStore API | HTML File Upload (BAC) (Cross-Site Scripting (XSS)) |
| News Ticker for Elementor | Broken Access Control (BAC) |
| New User Approve | Broken Access Control (BAC) |
| Ninja Forms | Arbitrary Shortcode Execution (BAC) |
| Notibar | Arbitrary Shortcode Execution (BAC) from njt_nofi_text |
| Notibar | Broken Access Control (BAC) |
| OAuth Single Sign On – SSO (OAuth Client) | Authentication Bypass (BAC) |
| One Paze Theme | Arbitrary Plugin Activation (BAC) and Deactivation (BAC) to Remote Code Execution (RCE) |
| Opt-In Downloads | Arbitrary File Upload (BAC) |
| Order Delivery & Pickup Location Date Time | Settings Change (BAC) |
| Page Restriction WordPress (WP) | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Paid Member Subscriptions | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Pie Register (Add on) - Social Sites Login | Authentication Bypass (BAC) |
| Pie Register Premium | Arbitrary File Upload (BAC) |
| Pinpoint Booking System | Broken Access Control (BAC) |
| PixProof | Broken Access Control (BAC) |
| PlugVersions | Missing Authorisation (BAC) to Arbitrary File Creation |
| Pojo Forms | Arbitrary Shortcode Execution (BAC) from form_preview_shortcode |
| Poll Maker | Cross-Site Request Forgery (CSRF) to Poll Duplication (BAC) |
| Popup Surveys & Polls for WordPress (Mare.io) | Settings Change (BAC) |
| Posti Shipping | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
| PPWP – WordPress Password Protect Page | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Premium Addons for Elementor | Broken Access Control (BAC) |
| Print Invoice & Delivery Notes for WooCommerce | Missing Authorisation (BAC) to Logo Deletion (BAC) |
| Prodigy Commerce | Broken Access Control (BAC) |
| Projectopia | Account Takeover (BAC) |
| Pubnews Theme | Unauthenticated Arbitrary Plugin Installation (BAC) |
| Quietly Insights | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| RapidLoad Power-Up for Autoptimise | Missing Authorisation (BAC) to Plugin Settings Modification (BAC) and SQL Injection (SQLi) |
| Restrict | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Revy | Unauthenticated Arbitrary File Upload (BAC) |
| Royal Elementor Addons | Broken Access Control (BAC) |
| SG Helper | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Sign In With Google | Authentication Bypass (BAC) in authenticate_user |
| Simple Dashboard | Privilege Escalation (BAC) |
| Simple Ecommerce Shopping Cart | Missing Authorisation (BAC) to Settings Update (BAC) / Data Access |
| Simple Link Directory | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Simple Notification | Broken Access Control (BAC) |
| Simple Page Access Restriction | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Simple Restrict | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Simple User Registration | Broken Access Control (BAC) on User Deletion (BAC) |
| Sinking Dropdowns | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| SiteOrigin Widgets Bundle | Broken Access Control (BAC) |
| Smart Shopify Product | Arbitrary Content Deletion (BAC) |
| SMS for Lead Capture Forms | Missing Authorisation (BAC) to Arbitrary Message Deletion (BAC) |
| Sogrid | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| Spreadr Woocommerce | Arbitrary Content Deletion (BAC) |
| Spreadr Woocommerce | Broken Access Control (BAC) |
| SSL Wireless SMS Notification | Privilege Escalation (BAC) |
| SV100 Companion | Privilege Escalation (BAC) |
| SVG Shortcode | Cross-Site Scripting (XSS) from SVG Upload (BAC) |
| Sweet Date Theme | Privilege Escalation (BAC) |
| Termin-Kalender | Broken Access Control (BAC) |
| Timetics | Missing Authorisation (BAC) to Arbitrary User Deletion (BAC) |
| TI WooCommerce Wishlist | Missing Authorisation (BAC) to Unauthenticated Plugin Setup Wizard Access |
| Torod | Settings Change (BAC) |
| Traveler | Missing Authorisation (BAC) in Several AJAX Actions |
| Tutor LMS Elementor Addons | Broken Access Control (BAC) |
| Userpro | Arbitrary User Meta Update (BAC) |
| User Role Editor | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| vBSSO-lite | Account Takeover (BAC) |
| VibeBP | Unauthenticated Privilege Escalation (BAC) |
| Video & Photo Gallery for Ultimate Member | Arbitrary File Upload (BAC) |
| Visualmodo Elements | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| VW Automobile Lite Theme | Broken Access Control (BAC) |
| Wayne Audio Player | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| WC Price History for Omnibus | Missing Authorisation (BAC) |
| WDesignkit | Arbitrary File Upload (BAC) |
| Widget Options | Broken Access Control (BAC) |
| Woffice Theme | Unauthenticated Account Takeover (BAC) |
| WooCommerce Basic Ordernumbers | Broken Access Control (BAC) |
| WooCommerce PDF Vouchers | Broken Authentication (BAC) |
| WooCommerce Point of Sale | Insecure Direct Object Reference (IDOR) to Privilege Escalation (BAC) from Arbitrary User Email Change (BAC) |
| WoodMart | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Wovax IDX | Account Takeover (BAC) |
| WP BASE Booking | Missing Authorisation (BAC) to Private Data Information Exposure from app_export_db |
| WPBITS Addons For Elementor Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WPCargo Track & Trace | Settings Change (BAC) |
| WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | Missing Authorisation (BAC) to Whitelist Script |
| WP-CRM System | Broken Access Control (BAC) |
| WP Crowdfunding | Missing Authorisation (BAC) to WooCommerce Installation (BAC) |
| WPC Shop as a Customer for WooCommerce | Authentication Bypass (BAC) Due to Insufficiently Unique Key |
| WP Hide Security Enhancer | Missing Authorisation (BAC) to Unauthenticated Arbitrary File Contents Deletion (BAC) |
| WPLMS | Arbitrary Directory Deletion (BAC) |
| WPLMS | Arbitrary File Upload (BAC) |
| WPLMS | Arbitrary File Upload (BAC) |
| WPLMS | Arbitrary File Upload (BAC) |
| WPLMS | Arbitrary File Deletion (BAC) |
| WPLMS | Arbitrary File Upload (BAC) |
| WPLMS | Unauthenticated Arbitrary Directory Deletion (BAC) |
| WPLMS | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| WPLMS | Unauthenticated Arbitrary File Upload (BAC) |
| WPLMS | Unauthenticated Privilege Escalation (BAC) |
| WP Mailster | Broken Access Control (BAC) |
| WP Mailster | Broken Access Control (BAC) |
| WPMasterToolKit | Arbitrary File Download (BAC) |
| WPMasterToolKit | Arbitrary File Upload (BAC) |
| WP Menu Image | Broken Access Control (BAC) |
| WPMobile.App | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Wp NssUser Register | Privilege Escalation (BAC) |
| WP Private Content Plus | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| WP SHAPES | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WPSSO Core | Broken Access Control (BAC) |
| WP SuperBackup | Multiple Broken Access Control (BAC) |
| WP SuperBackup | Unauthenticated Arbitrary File Upload (BAC) |
| WP SuperBackup | Unauthenticated Arbitrary File Upload (BAC) |
| WP SuperBackup | Unauthenticated Backup File Download (BAC) |
| WP Travel | Broken Access Control (BAC) |
| XML Multilanguage Sitemap Generator | Broken Access Control (BAC) |
| Youtube Video Grid | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
| Zita Site Builder | Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| 畅言评论系统 | Broken Access Control (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 2024 |
| WP BAC & WordPress Broken Access Control reported in 2025: | 219 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC JAN 2025: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) Vulnerability reports (monthly) owlpower services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) Vulnerability reports (monthly) owlpower services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) Vulnerability reports (monthly) owlpower services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) Vulnerability reports (monthly) owlpower services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and…
We’re passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.
