WP BAC JUL 2024
WP Broken Access Control
Tailored WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUL 2024 is a +44% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for tailored WP Security.
WHO needs tailored WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC JUL 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| Admin Notices Manager | Missing Authorization (BAC) to User Email Retrieval |
| Advanced Contact form 7 DB | Missing Authorization (BAC) to Unauthenticated Information Disclosure (BAC) |
| Advanced Custom Fields PRO | Broken Access Control (BAC) |
| Advanced Custom Fields PRO | Broken Access Control (BAC) |
| Album Gallery – WordPress Gallery | Broken Access Control (BAC) |
| Ali2Woo Lite | Arbitrary File Upload (BAC) |
| Ali2Woo Lite | Broken Access Control (BAC) |
| Ali2Woo Lite | Broken Access Control (BAC) |
| Ali2Woo Lite | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
| Attire Blocks | Missing Authorization (BAC) |
| Authorize.net Payment Gateway For WooCommerce | Insufficient Verification of Data Authenticity to Unauthenticated Payment Bypass (BAC) |
| Auto Featured Image | Arbitrary File Upload (BAC) |
| Awesome Support | Broken Access Control (BAC) |
| Bookster | Unauthenticated Appointment Status Update (BAC) (BAC) |
| Boostify Header Footer Builder for Elementor | Missing Authorization (BAC) to Page/Post Creation (BAC) |
| Bosa Elementor Addons and Templates for WooCommerce | Broken Access Control (BAC) |
| BuddyForms | Email Verification Bypass (BAC) due to Insufficient Randomness |
| BuddyPress Cover | Arbitrary File Upload (BAC) |
| CB (legacy) | Code/Timeframe/Booking Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
| CF7 Google Sheets Connector | Missing Authorization (BAC) to Limited Site Configuration Update (BAC) |
| Checkout Field Editor for WooCommerce (Pro) | Unauthenticated Arbitrary File Deletion (BAC) |
| Church Admin | Broken Access Control (BAC) |
| Claudio Sanches | Insufficient Verification of Data Authenticity to Order Payment Status Update (BAC) (BAC) |
| Clever Fox | Missing Authorization (BAC) to arbitrary theme activation via clever-fox-activate-theme |
| Contact Form Builder, Contact Widget | Bypass (BAC) |
| ContentLock | Groups/Emails Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
| ContentLock | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| ConvertKit | Broken Access Control (BAC) |
| Cookie Consent | Broken Access Control (BAC) |
| Copymatic – AI Content Writer & Generator | Broken Access Control (BAC) |
| Countdown & Clock | Missing Authorization (BAC) to PHP Object Injection |
| Custom Font Uploader | Missing Authorization (BAC) to Font Deletion (BAC) |
| Dashboard To-Do List | Broken Access Control (BAC) |
| Database Cleaner | Arbitrary File Read (BAC) |
| Debug Log Manager | Broken Access Control (BAC) |
| Defender Security | Broken Access Control (BAC) |
| Demo Awesome | Broken Access Control (BAC) |
| e2pdf | Broken Access Control (BAC) |
| Easy Affiliate Links | Missing Authorization (BAC) to Settings Reset (BAC) |
| Easy Forms for Mailchimp | Broken Access Control (BAC) |
| Easy Image Collage | Missing Authorization (BAC) to Arbitrary Post Content Deletion (BAC) |
| Elements kit Elementor addons | Unauthenticated Broken Access Control (BAC) |
| Essential Real Estate | Insecure Direct Object Reference (IDOR) to Arbitrary Attachment Deletion (BAC) |
| Extra Product Options for WooCommerce | Broken Access Control (BAC) |
| Featured Image from URL | Broken Access Control (BAC) |
| File Manager | Broken Access Control (BAC) |
| Five Star Restaurant Menu | Missing Authorization (BAC) to Menu Creation (BAC) |
| Folders Pro | Arbitrary File Upload (BAC) via handle_folders_file_upload |
| FooEvents for WooCommerce | Arbitrary File Upload (BAC) |
| Frontend Registration – Contact Form 7 | Privilege Escalation (BAC) |
| GDPR CCPA Compliance Support | Missing Authorization (BAC) to Settings Update (BAC) and Cross-Site Scripting (XSS) |
| Hercules Core | Arbitrary Settings Change/Access (BAC) |
| Hide Dashboard Notifications | Missing Authorization (BAC) to Plugin Settings Modification (BAC) |
| Ibtana | Broken Access Control (BAC) |
| Ibtana | Unauthenticated Plugin Settings Update (BAC) |
| Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery | Broken Access Control (BAC) |
| Infographic Maker – iList | Arbitrary Title Update (BAC) |
| Insert Post Ads | Broken Access Control (BAC) |
| InstaWP Connect | Arbitrary File Upload (BAC) |
| InstaWP Connect | Missing Authorization (BAC) to Unauthenticated API setup/Arbitrary Options Update (BAC) /Administrative User Creation (BAC) |
| Integrate Google Drive | Broken Access Control (BAC) |
| Kadence Blocks Pro | Arbitrary Option Access (BAC) |
| Kanban Boards for WordPress | Broken Access Control (BAC) |
| LA-Studio Element Kit for Elementor | Broken Access Control (BAC) |
| LatePoint | Missing Authorization (BAC) and Private Information Exposure via IDOR |
| Laybuy Payment Extension for WooCommerce | Broken Access Control (BAC) |
| LearnPress | Private Information Disclosure (BAC) via JSON API |
| Leyka | Broken Access Control (BAC) |
| Lifeline Donation | Authentication Bypass (BAC) |
| Login/Signup Popup | Missing Authorization (BAC) to Arbitrary Options Exposure (BAC) |
| Login/Signup Popup | Missing Authorization (BAC) to Arbitrary Options Update (BAC) |
| Login with phone number | Insecure Password Reset (BAC) Mechanism |
| Market Exporter | Missing Authorization (BAC) to Arbitrary File Deletion (BAC) |
| Master Addons for Elementor | Broken Access Control (BAC) on API |
| Master Addons for Elementor | Missing Authorization (BAC) to MA Template Creation (BAC) or Modification (BAC) |
| Masterstudy Elementor Widgets | Unauthenticated Broken Access Control (BAC) |
| MasterStudy LMS | Broken Access Control (BAC) |
| Materialis Theme | Missing Authorization (BAC) to Limited Arbitrary Options Update (BAC) |
| Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow | Broken Access Control (BAC) |
| Minimal Coming Soon & Maintenance Mode – Coming Soon Page | Missing Authorization (BAC) to Limited Settings Change |
| MJ Update (BAC) History | Broken Access Control (BAC) |
| Muslim Prayer Time BD | Settings Reset (BAC) via Cross-Site Request Forgery (CSRF) |
| Netgsm | Broken Access Control (BAC) |
| Newsletter - API addon (Premium) | Missing Authorization (BAC) to Email Subscribers Management |
| Newspack Blocks | Arbitrary Directory Deletion (BAC) |
| Newspack Blocks | Arbitrary File Upload (BAC) |
| Newspack Blocks | Broken Access Control (BAC) |
| Optinly | Broken Access Control (BAC) |
| Page Builder Sandwich – Front-End Page Builder | Broken Access Control (BAC) |
| Paid Memberships Pro | Cross-Site Request Forgery to Membership Modification (BAC) |
| Patreon WordPress | Image Protection Bypass (BAC) |
| Pearl | Missing Authorization (BAC) to Unauthenticated Arbitrary Site Options Deletion (BAC) |
| Pexels: Free Stock Photos | Arbitrary File Upload (BAC) |
| Play.ht | Broken Access Control (BAC) |
| Popup box | Broken Access Control (BAC) |
| Popup Builder | Missing Authorization (BAC) in Multiple AJAX Actions |
| Popup Builder | Missing Authorization (BAC) and Nonce Exposure |
| ProfileGrid | Missing Authorization (BAC) |
| Progress Planner | Broken Access Control (BAC) |
| Promolayer | Missing Authorization (BAC) |
| PropertyHive | Broken Access Control (BAC) |
| QQWorld Auto Save Images | Missing Authorization (BAC) to Arbitrary Post Content Retrieval |
| Radcliffe 2 Theme | Broken Access Control (BAC) |
| Restrict for Elementor | Protection Mechanism Bypass (BAC) |
| Robo Gallery | Cross-Site Request Forgery to Post Creation (BAC) |
| Salon booking system | Unauthenticated Arbitrary File Upload (BAC) |
| Salon booking system | Arbitrary File Deletion (BAC) |
| Salon booking system | Missing Authorization (BAC) |
| SC filechecker | Arbitrary File Deletion (BAC) |
| Scheduling Plugin – Online Booking for WordPress | Unauthenticated Plugin Settings Reset (BAC) |
| Sensei LMS | Broken Access Control (BAC) |
| Sensei Pro (WC Paid Courses) | Broken Access Control (BAC) |
| Simple COD Fees for WooCommerce | Broken Access Control (BAC) |
| Sirv | Arbitrary File Upload (BAC) |
| SiteGuard WP Plugin | Login Page Disclosure (BAC) |
| Slider Responsive Slideshow – Image slider, Gallery slideshow | Broken Access Control (BAC) |
| Smush Image Compression and Optimization | Resmush List Deletion (BAC) |
| Social Link Pages | Missing Authorization (BAC) to Arbitrary Page Creation (BAC) and Cross-Site Scripting (XSS) |
| Social Login Lite For WooCommerce | Authentication Bypass (BAC) |
| Sparkle Demo Importer | Post/Pages/Attachements Deletion (BAC) and Demo Data Import |
| Squeeze | Arbitrary File Upload (BAC) |
| Startklar Elementor Addons | Unauthenticated Path Traversal to Arbitrary Directory Deletion (BAC) |
| Strategery Migrations | Arbitrary File Deletion (BAC) |
| Strong Testimonials | Improper Authorization to Views Modification (BAC) |
| The Moneytizer | Missing Authorization (BAC) via multiple AJAX actions |
| Tickera | Broken Access Control (BAC) |
| Tickera | Ticket Deletion (BAC) |
| Timetics | Broken Access Control (BAC) |
| Timetics | Missing Authorization (BAC) to Limited Privilege Escalation (BAC) |
| Tutor LMS | Insecure Direct Object Reference (IDOR) to Arbitrary Quiz Attempt Deletion (BAC) |
| Uber Menu | Cross-Site Request Forgery to Settings Reset (BAC) |
| Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
| Uncanny Automator Pro | Cross-Site Request Forgery (CSRF) Leading to License Settings Reset (BAC) |
| Uncanny Automator Pro | Unauthenticated License Settings Reset (BAC) |
| Under Construction / Maintenance Mode from Acurax | IP Bypass (BAC) |
| Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | Broken Access Control (BAC) |
| Upload Fields for WPForms | Broken Access Control (BAC) |
| Upunzipper | Arbitrary File Deletion (BAC) |
| User Profile Picture | Insecure Direct Object Reference (IDOR) to Profile Picture Update (BAC) |
| User Registration | Missing Authorization (BAC) to Privilege Escalation (BAC) |
| User Rights Access Manager | Broken Access Control (BAC) |
| Wheel of Life | Missing Authorization (BAC) on Several AJAX Endpoints |
| WishList Member X | Arbitrary File Deletion (BAC) |
| WishList Member X | Privilege Escalation (BAC) |
| WooBuddy | Broken Access Control (BAC) |
| Woocommerce Customers Order History | Broken Access Control (BAC) |
| WooCommerce Social Login | Email Verification Bypass (BAC) |
| WooCommerce Tools | Missing Authorization (BAC) to Plugin Module Deactivation (BAC) |
| WP Child Theme Generator | Unauthenticated Child Theme Creation (BAC) /Activation |
| WP Dark Mode | Missing Authorization (BAC) |
| wpDataTables | Missing Authorization (BAC) to DataTable Access & Modification (BAC) |
| WP-DB-Table-Editor | Missing Authorization (BAC) to Database Access |
| WP EasyCart | Broken Access Control (BAC) |
| WP Force SSL & HTTPS SSL Redirect | Missing Authorization (BAC) to Settings Update (BAC) |
| WP Job Manager - Resume Manager | Broken Access Control (BAC) |
| WP Maintenance | IP Spoofing to Maintenance Mode Bypass (BAC) |
| WP-Recall | Unauthenticated Payment Deletion (BAC) via delete_payment |
| WP Reset (BAC) | Missing Authorization (BAC) to License Key Modification (BAC) |
| WPS Hide Login | Login Page Disclosure (BAC) |
| WP Time Slots Booking Form | Broken Access Control (BAC) |
| WP Translate | Broken Access Control (BAC) |
| WPUpper Share Buttons | Missing Authorization (BAC) |
| Zita Elementor Site Library | Missing Authorization (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 891 |
WHO needs tailored WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC JUL 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need tailored WP Security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.
