WP BAC JUN 2024
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUN 2024 is a -58% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC JUN 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| ACF Front End Editor | Missing Authorisation (BAC) to Arbitrary Content Update |
| ACF On-The-Go | Missing Authorisation (BAC) to Arbitrary Content Update |
| AdFoxly – Ad Manager, AdSense Ads & Ads.txt | Broken Access Control (BAC) |
| Advanced Custom Fields PRO | Arbitrary Function Execution (BAC) |
| AI Engine: ChatGPT Chatbot | Arbitrary File Upload (BAC) |
| Aiomatic | Broken Access Control (BAC) |
| All-in-One Video Gallery | Arbitrary File Upload (BAC) via featured image |
| ApplyOnline – Application Form Builder and Manager | Missing Authorisation (BAC) to Private Information Exposure |
| AppPresser | Improper Missing Encryption Exception Handling to Authentication Bypass (BAC) |
| Back In Stock Notifier for WooCommerce | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Base64 Encoder/Decoder | Settings Reset (BAC) via Cross-Site Request Forgery (CSRF) |
| Blocksy Companion | Cross-Site Scripting (XSS) via SVG Upload (BAC)s |
| BookingPress | Appointment Duration Manipulation (BAC) |
| Booster for WooCommerce | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Brizy – Page Builder | Missing Authorisation (BAC) |
| Builder for WooCommerce reviews shortcodes – ReviewShort | Broken Access Control (BAC) |
| Bulk Posts Editing For WordPress | Missing Authorisation (BAC) |
| canvasio3D Light | Arbitrary File Upload (BAC) |
| ChatBot | Missing Authorisation (BAC) via multiple functions |
| ClickCease Click Fraud Protection | Improper Authorisation (BAC) to Private information exposure via get_settings |
| Comparison Slider | Missing Authorisation (BAC) |
| Contact Form by WPForms | Unauthenticated Price Manipulation (BAC) |
| Contact Form & Lead Form Elementor Builder | Arbitrary Shortcode Execution (BAC) |
| Contact List – Easy Business Directory, Staff Directory and Address Book Plugin | Broken Access Control (BAC) |
| ConvertPlus | Missing Authorisation (BAC) to Limited Arbitrary Options Update |
| Copymatic – AI Content Writer & Generator | Unauthenticated Arbitrary File Upload (BAC) |
| Cost Calculator Builder Pro | Unauthenticated Cross-Site Scripting (XSS) via SVG Upload (BAC) |
| Crafthemes Demo Import | Arbitrary Plugin Installation (BAC) |
| Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler | Broken Access Control (BAC) |
| Different Menu in Different Pages | Missing Authorisation (BAC) to Menu Duplication |
| Download Monitor | Missing Authorisation (BAC) |
| EAN for WooCommerce | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| Edwiser Bridge | Authentication Bypass (BAC) due to Missing Empty Value Check |
| Element Pack Elementor Addons | Form Submission Admin Email Bypass (BAC) |
| Email Subscribers & Newsletters | Missing Authorisation (BAC) in handle_ajax_request |
| EmbedPress | Insufficient Authorisation (BAC) Checks |
| Event post | Missing Authorisation (BAC) |
| Fastly | Broken Access Control (BAC) |
| Fastly | Broken Access Control (BAC) |
| Flo Forms | Broken Access Control (BAC) |
| FluentForm | Missing Authorisation (BAC) to Setting Manipulation (BAC) |
| FluentForm | Missing Authorisation (BAC) to Settings Update (BAC) and Limited Privilege Escalation (BAC) |
| Giveaways and Contests by RafflePress | Broken Access Control (BAC) |
| Hash Form – Drag & Drop Form Builder | Unauthenticated Arbitrary File Upload (BAC) to Remote Code Execution (RCE) |
| HT Mega | Missing Authorisation (BAC) to Options Update |
| If-So Dynamic Content Personalization | Broken Access Control (BAC) |
| Import and export users and customers | Broken Access Control (BAC) |
| iPages Flipbook | Broken Access Control (BAC) |
| Kognetiks Chatbot for WordPress | Arbitrary File Upload (BAC) |
| LeadConnector | API Broken Access Control (BAC) |
| LearnPress | Arbitrary File Upload (BAC) |
| LearnPress | Unauthenticated Bypass (BAC) to User Registration |
| Login with phone number | Broken Access Control (BAC) |
| Login with phone number | Authentication Bypass (BAC) |
| MC Woocommerce Wishlist | Broken Access Control (BAC) |
| MC Woocommerce Wishlist | Broken Access Control (BAC) |
| Menu Icons by ThemeIsle | Cross-Site Scripting (XSS) via SVG Upload (BAC) |
| Netgsm | Broken Access Control (BAC) |
| Optimole | Cross-Site Scripting (XSS) via SVG Upload (BAC) |
| Orders Tracking for WooCommerce | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Password Protected | Missing Authorisation (BAC) to Private Information Exposure |
| Photo Gallery by 10Web | Broken Access Control (BAC) |
| Pk Favicon Manager | Arbitrary File Upload (BAC) |
| Post Grid Master | Broken Access Control (BAC) |
| Premium Addons for Elementor | Missing Authorisation (BAC) to Private Information Disclosure |
| Radio Player | Broken Access Control (BAC) |
| reCAPTCHA Jetpack | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| ReviewX | Missing Authorisation (BAC) |
| Serial Numbers for WooCommerce – License Manager | Broken Access Control (BAC) |
| Shared Counts | Missing Authorisation (BAC) to Arbitrary Email Sending |
| Shared Files | Broken Access Control (BAC) |
| ShopLentor | Missing Authorisation (BAC) via purchased_new_products |
| ShopLentor | Missing Authorisation (BAC) to WordPress Option Modification |
| Simple Basic Contact Form | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| SimpleShop | Missing Authorisation (BAC) |
| Slider Revolution | Unauthenticated Broken Access Control (BAC) |
| Social Connect | Authentication Bypass (BAC) |
| Spectra Pro | Privilege Escalation (BAC) |
| SportsPress – Sports Club & League Manager | Broken Access Control (BAC) |
| SP Project & Document Manager | Data Update (BAC) and File Download (BAC) via IDOR |
| Startklar Elementor Addons | Unauthenticated Arbitrary File Upload (BAC) |
| StopBadBots | Missing Authorisation (BAC) to Private Information Expsoure |
| Swift Framework | Missing Authorisation (BAC) to Unauthenticated Arbitrary Content Update |
| Swift Performance Lite | Incorrect Authorisation (BAC) to Settings Modification |
| Swiss Toolkit For WP | Authentication Bypass (BAC) |
| Tagembed | Broken Access Control (BAC) |
| Testimonial Carousel For Elementor | Missing Authorisation (BAC) to Limited Setting Update |
| The Post Grid | Missing Authorisation (BAC) |
| Tutor LMS | Missing Authorisation (BAC) |
| Tutor LMS Pro | Missing Authorisation (BAC) |
| Tutor LMS Pro | Missing Authorisation (BAC) to Privilege Escalation (BAC) |
| Tutor LMS Pro | Missing Authorisation (BAC) to SQL Injection (SQLi) |
| Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery | Broken Access Control (BAC) |
| Video Gallery & Management | Missing Authorisation (BAC) to Arbitrary Post/Page Creation |
| weDocs | Broken Access Control (BAC) |
| weMail | Broken Access Control (BAC) |
| White Label CMS | Missing Authorisation (BAC) to Plugin Settings Reset |
| WordPress Meta Data and Taxonomies Filter (MDTF) | Arbitrary Shortcode Execution (BAC) |
| WordPress Pie Register - Social Sites Login (Add on) plugin | - Authentication Bypass (BAC) |
| WP Compress – Image Optimiser [All-In-One] | Missing Authorisation (BAC) |
| WP Discourse | Broken Access Control (BAC) |
| WP Fundraising Donation and Crowdfunding Platform | Broken Access Control (BAC) |
| WP Latest Posts | Arbitrary Shortcode Execution (BAC) |
| WP Photo Album Plus | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| WP Photo Album Plus | Unauthenticated Arbitrary File Upload (BAC) |
| WP Post Author | Rating Value Manipulation (BAC) |
| WP Post Author | Broken Access Control (BAC) |
| WP Scraper | Missing Authorisation (BAC) to Arbitrary Page/Post Creation |
| WP STAGING – Backup Duplicator & Migration | Arbitrary File Upload (BAC) |
| WpTravelly | Missing Authorisation (BAC) via ttbm_new_place_save |
| YITH WooCommerce Gift Cards | Multiple BAC - Missing Authorisation to Unauthenticated WooCommerce Settings Update |
| Yumpu ePaper publishing | Multiple BAC - Missing Authorisation, PDF Upload, Publishing, API Key Modification |
| Z-Downloads | Arbitrary File Upload (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 728 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC JUN 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
