Scroll Top

WP BAC JUL 2024: 163 Brutal WP Broken Access Control



WP Broken Access Control

Tailored WordPress Security Report

Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUL 2024 is a +44% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for tailored WP Security.

WHO needs tailored WP security? EVERYBODY!

Today’s reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate “gazillion” different threats in your WordPress. Get your WP BAC JUL 2024: WP Broken Access Control Patch Management.

The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:

Admin Notices Manager Missing Authorization (BAC) to User Email Retrieval
Advanced Contact form 7 DB Missing Authorization (BAC) to Unauthenticated Information Disclosure (BAC)
Advanced Custom Fields PRO Broken Access Control (BAC)
Advanced Custom Fields PRO Broken Access Control (BAC)
Album Gallery – WordPress Gallery Broken Access Control (BAC)
Ali2Woo Lite Arbitrary File Upload (BAC)
Ali2Woo Lite Broken Access Control (BAC)
Ali2Woo Lite Broken Access Control (BAC)
Ali2Woo Lite Broken Access Control (BAC) to Cross-Site Scripting (XSS)
Attire Blocks Missing Authorization (BAC) Payment Gateway For WooCommerce Insufficient Verification of Data Authenticity to Unauthenticated Payment Bypass (BAC)
Auto Featured Image Arbitrary File Upload (BAC)
Awesome Support Broken Access Control (BAC)
Bookster Unauthenticated Appointment Status Update (BAC) (BAC)
Boostify Header Footer Builder for Elementor Missing Authorization (BAC) to Page/Post Creation (BAC)
Bosa Elementor Addons and Templates for WooCommerce Broken Access Control (BAC)
BuddyForms Email Verification Bypass (BAC) due to Insufficient Randomness
BuddyPress Cover Arbitrary File Upload (BAC)
CB (legacy) Code/Timeframe/Booking Deletion (BAC) via Cross-Site Request Forgery (CSRF)
CF7 Google Sheets Connector Missing Authorization (BAC) to Limited Site Configuration Update (BAC)
Checkout Field Editor for WooCommerce (Pro) Unauthenticated Arbitrary File Deletion (BAC)
Church Admin Broken Access Control (BAC)
Claudio Sanches Insufficient Verification of Data Authenticity to Order Payment Status Update (BAC) (BAC)
Clever Fox Missing Authorization (BAC) to arbitrary theme activation via clever-fox-activate-theme
Contact Form Builder, Contact Widget Bypass (BAC)
ContentLock Groups/Emails Deletion (BAC) via Cross-Site Request Forgery (CSRF)
ContentLock Settings Update (BAC) via Cross-Site Request Forgery (CSRF)
ConvertKit Broken Access Control (BAC)
Cookie Consent Broken Access Control (BAC)
Copymatic – AI Content Writer & Generator Broken Access Control (BAC)
Countdown & Clock Missing Authorization (BAC) to PHP Object Injection
Custom Font Uploader Missing Authorization (BAC) to Font Deletion (BAC)
Dashboard To-Do List Broken Access Control (BAC)
Database Cleaner Arbitrary File Read (BAC)
Debug Log Manager Broken Access Control (BAC)
Defender Security Broken Access Control (BAC)
Demo Awesome Broken Access Control (BAC)
e2pdf Broken Access Control (BAC)
Easy Affiliate Links Missing Authorization (BAC) to Settings Reset (BAC)
Easy Forms for Mailchimp Broken Access Control (BAC)
Easy Image Collage Missing Authorization (BAC) to Arbitrary Post Content Deletion (BAC)
Elements kit Elementor addons Unauthenticated Broken Access Control (BAC)
Essential Real Estate Insecure Direct Object Reference (IDOR) to Arbitrary Attachment Deletion (BAC)
Extra Product Options for WooCommerce Broken Access Control (BAC)
Featured Image from URL Broken Access Control (BAC)
File Manager Broken Access Control (BAC)
Five Star Restaurant Menu Missing Authorization (BAC) to Menu Creation (BAC)
Folders Pro Arbitrary File Upload (BAC) via handle_folders_file_upload
FooEvents for WooCommerce Arbitrary File Upload (BAC)
Frontend Registration – Contact Form 7 Privilege Escalation (BAC)
GDPR CCPA Compliance Support Missing Authorization (BAC) to Settings Update (BAC) and Cross-Site Scripting (XSS)
Hercules Core Arbitrary Settings Change/Access (BAC)
Hide Dashboard Notifications Missing Authorization (BAC) to Plugin Settings Modification (BAC)
Ibtana Broken Access Control (BAC)
Ibtana Unauthenticated Plugin Settings Update (BAC)
Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery Broken Access Control (BAC)
Infographic Maker – iList Arbitrary Title Update (BAC)
Insert Post Ads Broken Access Control (BAC)
InstaWP Connect Arbitrary File Upload (BAC)
InstaWP Connect Missing Authorization (BAC) to Unauthenticated API setup/Arbitrary Options Update (BAC) /Administrative User Creation (BAC)
Integrate Google Drive Broken Access Control (BAC)
Kadence Blocks Pro Arbitrary Option Access (BAC)
Kanban Boards for WordPress Broken Access Control (BAC)
LA-Studio Element Kit for Elementor Broken Access Control (BAC)
LatePoint Missing Authorization (BAC) and Private Information Exposure via IDOR
Laybuy Payment Extension for WooCommerce Broken Access Control (BAC)
LearnPress Private Information Disclosure (BAC) via JSON API
Leyka Broken Access Control (BAC)
Lifeline Donation Authentication Bypass (BAC)
Login/Signup Popup Missing Authorization (BAC) to Arbitrary Options Exposure (BAC)
Login/Signup Popup Missing Authorization (BAC) to Arbitrary Options Update (BAC)
Login with phone number Insecure Password Reset (BAC) Mechanism
Market Exporter Missing Authorization (BAC) to Arbitrary File Deletion (BAC)
Master Addons for Elementor Broken Access Control (BAC) on API
Master Addons for Elementor Missing Authorization (BAC) to MA Template Creation (BAC) or Modification (BAC)
Masterstudy Elementor Widgets Unauthenticated Broken Access Control (BAC)
MasterStudy LMS Broken Access Control (BAC)
Materialis Theme Missing Authorization (BAC) to Limited Arbitrary Options Update (BAC)
Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow Broken Access Control (BAC)
Minimal Coming Soon & Maintenance Mode – Coming Soon Page Missing Authorization (BAC) to Limited Settings Change
MJ Update (BAC) History Broken Access Control (BAC)
Muslim Prayer Time BD Settings Reset (BAC) via Cross-Site Request Forgery (CSRF)
Netgsm Broken Access Control (BAC)
Newsletter – API addon (Premium) Missing Authorization (BAC) to Email Subscribers Management
Newspack Blocks Arbitrary Directory Deletion (BAC)
Newspack Blocks Arbitrary File Upload (BAC)
Newspack Blocks Broken Access Control (BAC)
Optinly Broken Access Control (BAC)
Page Builder Sandwich – Front-End Page Builder Broken Access Control (BAC)
Paid Memberships Pro Cross-Site Request Forgery to Membership Modification (BAC)
Patreon WordPress Image Protection Bypass (BAC)
Pearl Missing Authorization (BAC) to Unauthenticated Arbitrary Site Options Deletion (BAC)
Pexels: Free Stock Photos Arbitrary File Upload (BAC) Broken Access Control (BAC)
Popup box Broken Access Control (BAC)
Popup Builder Missing Authorization (BAC) in Multiple AJAX Actions
Popup Builder Missing Authorization (BAC) and Nonce Exposure
ProfileGrid Missing Authorization (BAC)
Progress Planner Broken Access Control (BAC)
Promolayer Missing Authorization (BAC)
PropertyHive Broken Access Control (BAC)
QQWorld Auto Save Images Missing Authorization (BAC) to Arbitrary Post Content Retrieval
Radcliffe 2 Theme Broken Access Control (BAC)
Restrict for Elementor Protection Mechanism Bypass (BAC)
Robo Gallery Cross-Site Request Forgery to Post Creation (BAC)
Salon booking system Unauthenticated Arbitrary File Upload (BAC)
Salon booking system Arbitrary File Deletion (BAC)
Salon booking system Missing Authorization (BAC)
SC filechecker Arbitrary File Deletion (BAC)
Scheduling Plugin – Online Booking for WordPress Unauthenticated Plugin Settings Reset (BAC)
Sensei LMS Broken Access Control (BAC)
Sensei Pro (WC Paid Courses) Broken Access Control (BAC)
Simple COD Fees for WooCommerce Broken Access Control (BAC)
Sirv Arbitrary File Upload (BAC)
SiteGuard WP Plugin Login Page Disclosure (BAC)
Slider Responsive Slideshow – Image slider, Gallery slideshow Broken Access Control (BAC)
Smush Image Compression and Optimization Resmush List Deletion (BAC)
Social Link Pages Missing Authorization (BAC) to Arbitrary Page Creation (BAC) and Cross-Site Scripting (XSS)
Social Login Lite For WooCommerce Authentication Bypass (BAC)
Sparkle Demo Importer Post/Pages/Attachements Deletion (BAC) and Demo Data Import
Squeeze Arbitrary File Upload (BAC)
Startklar Elementor Addons Unauthenticated Path Traversal to Arbitrary Directory Deletion (BAC)
Strategery Migrations Arbitrary File Deletion (BAC)
Strong Testimonials Improper Authorization to Views Modification (BAC)
The Moneytizer Missing Authorization (BAC) via multiple AJAX actions
Tickera Broken Access Control (BAC)
Tickera Ticket Deletion (BAC)
Timetics Broken Access Control (BAC)
Timetics Missing Authorization (BAC) to Limited Privilege Escalation (BAC)
Tutor LMS Insecure Direct Object Reference (IDOR) to Arbitrary Quiz Attempt Deletion (BAC)
Uber Menu Cross-Site Request Forgery to Settings Reset (BAC)
Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter Broken Access Control (BAC) to Cross-Site Scripting (XSS)
Uncanny Automator Pro Cross-Site Request Forgery (CSRF) Leading to License Settings Reset (BAC)
Uncanny Automator Pro Unauthenticated License Settings Reset (BAC)
Under Construction / Maintenance Mode from Acurax IP Bypass (BAC)
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Broken Access Control (BAC)
Upload Fields for WPForms Broken Access Control (BAC)
Upunzipper Arbitrary File Deletion (BAC)
User Profile Picture Insecure Direct Object Reference (IDOR) to Profile Picture Update (BAC)
User Registration Missing Authorization (BAC) to Privilege Escalation (BAC)
User Rights Access Manager Broken Access Control (BAC)
Wheel of Life Missing Authorization (BAC) on Several AJAX Endpoints
WishList Member X Arbitrary File Deletion (BAC)
WishList Member X Privilege Escalation (BAC)
WooBuddy Broken Access Control (BAC)
Woocommerce Customers Order History Broken Access Control (BAC)
WooCommerce Social Login Email Verification Bypass (BAC)
WooCommerce Tools Missing Authorization (BAC) to Plugin Module Deactivation (BAC)
WP Child Theme Generator Unauthenticated Child Theme Creation (BAC) /Activation
WP Dark Mode Missing Authorization (BAC)
wpDataTables Missing Authorization (BAC) to DataTable Access & Modification (BAC)
WP-DB-Table-Editor Missing Authorization (BAC) to Database Access
WP EasyCart Broken Access Control (BAC)
WP Force SSL & HTTPS SSL Redirect Missing Authorization (BAC) to Settings Update (BAC)
WP Job Manager – Resume Manager Broken Access Control (BAC)
WP Maintenance IP Spoofing to Maintenance Mode Bypass (BAC)
WP-Recall Unauthenticated Payment Deletion (BAC) via delete_payment
WP Reset (BAC) Missing Authorization (BAC) to License Key Modification (BAC)
WPS Hide Login Login Page Disclosure (BAC)
WP Time Slots Booking Form Broken Access Control (BAC)
WP Translate Broken Access Control (BAC)
WPUpper Share Buttons Missing Authorization (BAC)
Zita Elementor Site Library Missing Authorization (BAC)
WP BAC & WordPress Broken Access Control reported in 2023: 931
WP BAC & WordPress Broken Access Control reported in 2024: 891
WHO needs tailored WP Maintenance? EVERYBODY!

Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC JUL 2024: WP Broken Access Control Patch Management.

Security is not a single-task job

Need tailored WP Security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.

Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.

Related Posts