WP BAC MAR 2025
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC MAR 2025 is a -33% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC MAR 2025: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
3D Photo Gallery | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
A1POST.BG Shipping for Woo | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
ADFO | Deserialization (BAC) of untrusted data |
aDirectory | Missing Authorization (BAC) to Post Deletion (BAC) |
Admin and Site Enhancements (ASE) Pro | Privilege Escalation (BAC) |
Advanced Google reCAPTCHA | Built-in Math CAPTCHA Bypass (BAC) |
Affiliate Links Lite | Missing Authorization (BAC) to Unauthenticated Import/Export and PHP Object Injection |
AIO Performance Profiler, Monitor, Optimize, Compress & Debug | Broken Access Control (BAC) |
All-Images.ai | File Upload (BAC) |
Analytify | Broken Access Control (BAC) |
Animated Text Block | Broken Access Control (BAC) |
Apus Framework | Options Update (BAC) in import_page_options |
Atarim | Content Deletion (BAC) |
Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue | Settings Change (BAC) |
Avada Theme | Unauthenticated Shortcode Execution (BAC) |
Awesome Event Booking | Broken Access Control (BAC) |
Bit Assist | Path Traversal (BAC) to File Read (BAC) from downloadResponseFile Function |
Bit Assist | Path Traversal (BAC) to File Read (BAC) from fileID Parameter |
Book a Room | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
Booking Calendar | Unauthenticated Post-Confirmation Booking Manipulation (BAC) |
BookPress – For Book Authors | Broken Access Control (BAC) |
Bricks Builder Theme | Privilege Escalation (BAC) from create_autosave |
Brizy | File Upload (BAC) from storeUploads |
Brizy | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
C9 Admin Dashboard | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Car Dealer Theme | File Deletion (BAC) and Read (BAC) |
Car Dealer Theme | Missing Authorization (BAC) to Change (BAC) and JS-CSS Files Delete (BAC) |
Car Dealer Theme | Theme Option Update to Privilege Escalation (BAC) |
CarSpot Theme | Unauthenticated Password Reset/Account Takeover (BAC) |
Chaty Pro | File Upload (BAC) |
Child Themes Helper | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
Classified Listing | Unauthenticated Settings Exposure (BAC) |
Click Mag Theme | Missing Authorization (BAC) to Options Deletion (BAC) |
ClickWhale | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
Contact Manager | Unauthenticated Double File Extension Upload (BAC) |
ConvertPlus | Missing Authorization (BAC) to Options Update (BAC) |
CURCY | Unauthenticated Shortcode Execution (BAC) from get_products_price Function |
Custom Post Type Date Archives | Missing Authorization (BAC) to Unauthenticated Shortcode Execution (BAC) |
Custom Related Posts | Missing Authorization (BAC) to Private Post Search and Relation Updates |
DefendWP Firewall | Broken Access Control (BAC) |
DHVC Form | Unauthenticated Privilege Escalation (BAC) |
Directorist | Privilege Escalation (BAC) and Account Takeover (BAC) from OTP |
DirectoryPress Frontend | Cross-Site Request Forgery (CSRF) to Listing Status Update (BAC) |
Disable Elementor Editor Translation | Broken Access Control (BAC) |
Distance Based Shipping Calculator | Broken Access Control (BAC) |
Distance Based Shipping Calculator | Settings Change (BAC) |
Download IP2Location Country Blocker | Missing Authorization (BAC) to Unauthenticated Information Exposure from admin_init Function |
DSGVO All in one for WP | Cross-Site Request Forgery (CSRF) to Account Deletion (BAC) |
EAN for WooCommerce | Broken Access Control (BAC) |
Email Verification for WooCommerce | Authentication Bypass (BAC) from Shortcode |
Embed RSS | Shortcode Execution (BAC) |
Enfold Theme | Missing Authorization (BAC) to Private Information Disclosure in avia-export-classphp |
Essential Blocks for Gutenberg | Broken Access Control (BAC) |
Eventer | Missing Authorization (BAC) to Bookings Export |
Eventer | Missing Authorization (BAC) to Unauthenticated Event Ticket Download |
Event Kikfyre | Broken Access Control (BAC) |
Events Manager | Broken Access Control (BAC) |
Event Tickets | Missing Authorization (BAC) to Ticket Deletion (BAC) |
Everest Forms | Unauthenticated File Upload (BAC), Read (BAC), and Deletion (BAC) |
Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets | Broken Access Control (BAC) |
Flexible Wishlist for WooCommerce | Cross-Site Request Forgery (CSRF) to Wishlist Creation/Modification (BAC) |
FoodBakery | Authentication Bypass (BAC) in foodbakery_parse_request |
FoodBakery | Unauthenticated File Upload (BAC) |
FoodBakery | Unauthenticated Privilege Escalation (BAC) in foodbakery_registration_validation |
Forex Calculators | Missing Authorization (BAC) to Settings Update (BAC) |
FormCraft 3 | Missing Authorization (BAC) to Plugin Data Export in formcraft-mainphp |
Fusion Builder | Unauthenticated Shortcode Execution (BAC) |
GetBookingsWP | Privilege Escalation (BAC) from Account Takeover (BAC) |
Gift Vouchers | Missing Authorization (BAC) to Unauthenticated Price, Date, and Note Updates |
Global Gallery - WordPress Responsive Gallery | Shortcode Execution (BAC) |
GlobalQuran | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
GPX Viewer | Path Traversal (BAC) |
Helloprint | File Deletion (BAC) |
Helloprint | File Deletion (BAC) |
Houzez Property Feed | Cross-Site Request Forgery (CSRF) to Property Feed Export Deletion (BAC) |
Indeed API | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
iNET Webkit | Broken Access Control (BAC) |
Keep Backup Daily | File Download (BAC) |
K Elements | Unauthenticated Account Takeover (BAC) |
Login Me Now | Authentication Bypass (BAC) |
LTL Freight Quotes – FreightQuote Edition | Broken Access Control (BAC) |
LTL Freight Quotes – GlobalTranz Edition | Missing Authorization (BAC) to Unauthenticated Settings Update (BAC) |
LTL Freight Quotes – Unishippers Edition | Broken Access Control (BAC) |
LTL Freight Quotes – Worldwide Express Edition | Content Deletion (BAC) |
Market Exporter | Broken Access Control (BAC) |
Media Library Folders | Missing Authorization (BAC) to Plugin Settings Change (BAC) |
Munk Sites | Cross-Site Request Forgery (CSRF) to Plugin Installation (BAC) |
Music Sheet Viewer | File Read (BAC) |
MyTicket Events | Non-Arbitrary File Read (BAC) |
Nextend Social Login Pro | Authentication Bypass (BAC) from Apple OAuth provider |
NextMove Lite | Missing Authorization (BAC) to Deactivation Reason Submission |
NHR Options Table Manager | Deserialization (BAC) of untrusted data |
Oliver POS | Private Information Exposure to Privilege Escalation (BAC) |
OnePress Theme | Broken Access Control (BAC) |
OneStore Sites | Cross-Site Request Forgery (CSRF) to Plugin Installation (BAC) |
Option Editor | Cross-Site Request Forgery (CSRF) to Options Update (BAC) |
Order Limit for WooCommerce | Broken Access Control (BAC) |
Page and Post Lister | Content Deletion (BAC) |
Paid Videochat Turnkey Site | File Deletion (BAC) |
Pallet Packaging for WooCommerce | Broken Access Control (BAC) |
Photo Gallery ( Responsive ) | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
Pie Register Premium | Broken Access Control (BAC) |
Plugin A/B Image Optimizer | File Download (BAC) |
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor | Path Traversal (BAC) to File Read (BAC) from template_via_url Function |
PressMart Theme | Unauthenticated Shortcode Execution (BAC) |
PrivateContent | Unauthenticated Account Takeover (BAC) |
Puzzles Theme | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
Rank Math SEO | Missing Authorization (BAC) to Schema Deletion (BAC) |
RapidLoad | Broken Access Control (BAC) |
Raptive Ads | Missing Authorization (BAC) to Unauthenticated Data/Settings Reset |
Read More & Accordion | Missing Authorization (BAC) to 'Read More' Post Deletion (BAC) |
Real Estate 7 Theme | Unauthenticated Privilege Escalation (BAC) to Administrator |
Real Estate Manager | Captcha Bypass (BAC) |
Recipe Card Blocks for Gutenberg & Elementor | Broken Access Control (BAC) |
Residential Address Detection | Option Update to Privilege Escalation (BAC) |
School Management System – SakolaWP | Cross-Site Request Forgery (CSRF) to Exam Setting Manipulation (BAC) |
Scratch & Win – Giveaways and Contests | Missing Authorization (BAC) to Unauthenticated Coupon Creation |
Search with Typesense | Path Traversal (BAC) |
Security & Malware scan by CleanTalk | Unauthenticated File Upload (BAC) |
Shopwarden | Cross-Site Request Forgery (CSRF) to Options Update (BAC) |
Show Me The Cookies | Unauthenticated Shortcode Execution (BAC) |
Simplified | File Upload (BAC) |
Slide Banners | Broken Access Control (BAC) |
Small Package Quotes – Unishippers Edition | Broken Access Control (BAC) |
SocialV Theme | Missing Authorization (BAC) to File Download (BAC) |
Sports Rankings and Lists | File Download (BAC) |
Starter Templates by FancyWP | Cross-Site Request Forgery (CSRF) to Plugin Installation (BAC) |
Sticky Header On Scroll | Broken Access Control (BAC) |
Strong Testimonials | Broken Access Control (BAC) |
Subscriptions & Memberships for PayPal | Cross-Site Request Forgery (CSRF) to Post Deletion (BAC) |
SVG Support | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Team | Missing Authorization (BAC) to Settings Update (BAC) |
Team Builder | Missing Authorization (BAC) to Settings Update (BAC) |
Templines Elementor Helper Core | Privilege Escalation (BAC) |
Theme File Duplicator | File Download (BAC) |
Theme File Duplicator | File Upload (BAC) |
The Ultimate WordPress Toolkit – WP Extended | Missing Authorization (BAC) to Unauthenticated Post Order Manipulation (BAC) |
Trash Duplicate and 301 Redirect | Missing Authorization (BAC) to Unauthenticated Post Deletion (BAC) |
Uix Shortcodes | Shortcode Execution (BAC) |
Ultimate Classified Listings | Cross-Site Request Forgery (CSRF) to Account Takeover (BAC) |
Uncode Core | Shortcode Execution (BAC) in uncode_get_medias |
Uncode Theme | File Read (BAC) in uncode_recordMedia |
Uncode Theme | Unauthenticated File Read (BAC) in uncode_admin_get_oembed |
VideoWhisper Live Streaming Integration | File Deletion (BAC) |
VideoWhisper Live Streaming Integration | File Download (BAC) |
VikBooking Hotel Booking Engine & PMS | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
Vitepos | Broken Access Control (BAC) |
WHMCS Client Area for WordPress by WHMpress | Options Update (BAC) |
WHMpress | Unauthenticated Local File Inclusion (LFi) to Options Update (BAC) |
WooCommerce Food - Restaurant Menu & Food ordering | Unauthenticated Shortcode Execution (BAC) from ids |
WooCommerce Support Ticket System | Missing Authorization (BAC) to Post Deletion (BAC) and Information Exposure |
WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates | Unauthenticated File Upload (BAC) |
WordPress FormCraft - Premium WordPress Form Builder plugin | Unauthenticated Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
WordPress Portfolio Builder – Portfolio Gallery | Missing Authorization (BAC) to Unauthenticated Portfolio Update |
WP Abstracts | Cross-Site Request Forgery (CSRF) to Account Deletion (BAC) |
WP All Import | Cross-Site Request Forgery (CSRF) to Imported Content Deletion (BAC) |
WP All Import Pro | Cross-Site Request Forgery (CSRF) to Imported Content Deletion (BAC) |
WP-Asambleas | Shortcode Execution (BAC) |
WP Directorybox Manager | Authentication Bypass (BAC) |
WP Find Your Nearest | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
wpForo Forum | File Read (BAC) in update |
WP Job Board Pro | Unauthenticated Privilege Escalation (BAC) from process_register |
WP Media Category Management | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
WP Project Manager | Missing Authorization (BAC) to Options Update (BAC) |
Wp Social | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon | Missing Authorization (BAC) to Settings Reset |
WP Table Manager | Missing Authorization (BAC) to Directory Traversal to Folder/File Name Private Disclosure |
WPvivid Backup and Migration | File Upload (BAC) from wpvivid_upload_file |
Zarinpal Paid Download | File Upload (BAC) |
Zox News Theme | Missing Authorization (BAC) to Options Modification |
ZoxPress Theme | Missing Authorization (BAC) to Options Deletion (BAC) |
ZoxPress Theme | Missing Authorization (BAC) to Options Update (BAC) |
WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
WP BAC & WordPress Broken Access Control reported in 2024: | 2024 |
WP BAC & WordPress Broken Access Control reported in 2025: | 649 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC MAR 2025: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.