WP BAC MAR 2025
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC MAR 2025 is a -33% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC MAR 2025: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
3D Photo Gallery | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
A1POST.BG Shipping for Woo | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
ADFO | Deserialization (BAC) of untrusted data |
aDirectory | Missing Authorization (BAC) to Post Deletion (BAC) |
Admin and Site Enhancements (ASE) Pro | Privilege Escalation (BAC) |
Advanced Google reCAPTCHA | Built-in Math CAPTCHA Bypass (BAC) |
Affiliate Links Lite | Missing Authorization (BAC) to Unauthenticated Import/Export and PHP Object Injection |
AIO Performance Profiler, Monitor, Optimize, Compress & Debug | Broken Access Control (BAC) |
All-Images.ai | File Upload (BAC) |
Analytify | Broken Access Control (BAC) |
Animated Text Block | Broken Access Control (BAC) |
Apus Framework | Options Update (BAC) in import_page_options |
Atarim | Content Deletion (BAC) |
Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue | Settings Change (BAC) |
Avada Theme | Unauthenticated Shortcode Execution (BAC) |
Awesome Event Booking | Broken Access Control (BAC) |
Bit Assist | Path Traversal (BAC) to File Read (BAC) from downloadResponseFile Function |
Bit Assist | Path Traversal (BAC) to File Read (BAC) from fileID Parameter |
Book a Room | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
Booking Calendar | Unauthenticated Post-Confirmation Booking Manipulation (BAC) |
BookPress – For Book Authors | Broken Access Control (BAC) |
Bricks Builder Theme | Privilege Escalation (BAC) from create_autosave |
Brizy | File Upload (BAC) from storeUploads |
Brizy | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
C9 Admin Dashboard | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Car Dealer Theme | File Deletion (BAC) and Read (BAC) |
Car Dealer Theme | Missing Authorization (BAC) to Change (BAC) and JS-CSS Files Delete (BAC) |
Car Dealer Theme | Theme Option Update to Privilege Escalation (BAC) |
CarSpot Theme | Unauthenticated Password Reset/Account Takeover (BAC) |
Chaty Pro | File Upload (BAC) |
Child Themes Helper | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
Classified Listing | Unauthenticated Settings Exposure (BAC) |
Click Mag Theme | Missing Authorization (BAC) to Options Deletion (BAC) |
ClickWhale | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
Contact Manager | Unauthenticated Double File Extension Upload (BAC) |
ConvertPlus | Missing Authorization (BAC) to Options Update (BAC) |
CURCY | Unauthenticated Shortcode Execution (BAC) from get_products_price Function |
Custom Post Type Date Archives | Missing Authorization (BAC) to Unauthenticated Shortcode Execution (BAC) |
Custom Related Posts | Missing Authorization (BAC) to Private Post Search and Relation Updates |
DefendWP Firewall | Broken Access Control (BAC) |
DHVC Form | Unauthenticated Privilege Escalation (BAC) |
Directorist | Privilege Escalation (BAC) and Account Takeover (BAC) from OTP |
DirectoryPress Frontend | Cross-Site Request Forgery (CSRF) to Listing Status Update (BAC) |
Disable Elementor Editor Translation | Broken Access Control (BAC) |
Distance Based Shipping Calculator | Broken Access Control (BAC) |
Distance Based Shipping Calculator | Settings Change (BAC) |
Download IP2Location Country Blocker | Missing Authorization (BAC) to Unauthenticated Information Exposure from admin_init Function |
DSGVO All in one for WP | Cross-Site Request Forgery (CSRF) to Account Deletion (BAC) |
EAN for WooCommerce | Broken Access Control (BAC) |
Email Verification for WooCommerce | Authentication Bypass (BAC) from Shortcode |
Embed RSS | Shortcode Execution (BAC) |
Enfold Theme | Missing Authorization (BAC) to Private Information Disclosure in avia-export-classphp |
Essential Blocks for Gutenberg | Broken Access Control (BAC) |
Eventer | Missing Authorization (BAC) to Bookings Export |
Eventer | Missing Authorization (BAC) to Unauthenticated Event Ticket Download |
Event Kikfyre | Broken Access Control (BAC) |
Events Manager | Broken Access Control (BAC) |
Event Tickets | Missing Authorization (BAC) to Ticket Deletion (BAC) |
Everest Forms | Unauthenticated File Upload (BAC), Read (BAC), and Deletion (BAC) |
Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets | Broken Access Control (BAC) |
Flexible Wishlist for WooCommerce | Cross-Site Request Forgery (CSRF) to Wishlist Creation/Modification (BAC) |
FoodBakery | Authentication Bypass (BAC) in foodbakery_parse_request |
FoodBakery | Unauthenticated File Upload (BAC) |
FoodBakery | Unauthenticated Privilege Escalation (BAC) in foodbakery_registration_validation |
Forex Calculators | Missing Authorization (BAC) to Settings Update (BAC) |
FormCraft 3 | Missing Authorization (BAC) to Plugin Data Export in formcraft-mainphp |
Fusion Builder | Unauthenticated Shortcode Execution (BAC) |
GetBookingsWP | Privilege Escalation (BAC) from Account Takeover (BAC) |
Gift Vouchers | Missing Authorization (BAC) to Unauthenticated Price, Date, and Note Updates |
Global Gallery - WordPress Responsive Gallery | Shortcode Execution (BAC) |
GlobalQuran | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
GPX Viewer | Path Traversal (BAC) |
Helloprint | File Deletion (BAC) |
Helloprint | File Deletion (BAC) |
Houzez Property Feed | Cross-Site Request Forgery (CSRF) to Property Feed Export Deletion (BAC) |
Indeed API | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
iNET Webkit | Broken Access Control (BAC) |
Keep Backup Daily | File Download (BAC) |
K Elements | Unauthenticated Account Takeover (BAC) |
Login Me Now | Authentication Bypass (BAC) |
LTL Freight Quotes – FreightQuote Edition | Broken Access Control (BAC) |
LTL Freight Quotes – GlobalTranz Edition | Missing Authorization (BAC) to Unauthenticated Settings Update (BAC) |
LTL Freight Quotes – Unishippers Edition | Broken Access Control (BAC) |
LTL Freight Quotes – Worldwide Express Edition | Content Deletion (BAC) |
Market Exporter | Broken Access Control (BAC) |
Media Library Folders | Missing Authorization (BAC) to Plugin Settings Change (BAC) |
Munk Sites | Cross-Site Request Forgery (CSRF) to Plugin Installation (BAC) |
Music Sheet Viewer | File Read (BAC) |
MyTicket Events | Non-Arbitrary File Read (BAC) |
Nextend Social Login Pro | Authentication Bypass (BAC) from Apple OAuth provider |
NextMove Lite | Missing Authorization (BAC) to Deactivation Reason Submission |
NHR Options Table Manager | Deserialization (BAC) of untrusted data |
Oliver POS | Private Information Exposure to Privilege Escalation (BAC) |
OnePress Theme | Broken Access Control (BAC) |
OneStore Sites | Cross-Site Request Forgery (CSRF) to Plugin Installation (BAC) |
Option Editor | Cross-Site Request Forgery (CSRF) to Options Update (BAC) |
Order Limit for WooCommerce | Broken Access Control (BAC) |
Page and Post Lister | Content Deletion (BAC) |
Paid Videochat Turnkey Site | File Deletion (BAC) |
Pallet Packaging for WooCommerce | Broken Access Control (BAC) |
Photo Gallery ( Responsive ) | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
Pie Register Premium | Broken Access Control (BAC) |
Plugin A/B Image Optimizer | File Download (BAC) |
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor | Path Traversal (BAC) to File Read (BAC) from template_via_url Function |
PressMart Theme | Unauthenticated Shortcode Execution (BAC) |
PrivateContent | Unauthenticated Account Takeover (BAC) |
Puzzles Theme | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
Rank Math SEO | Missing Authorization (BAC) to Schema Deletion (BAC) |
RapidLoad | Broken Access Control (BAC) |
Raptive Ads | Missing Authorization (BAC) to Unauthenticated Data/Settings Reset |
Read More & Accordion | Missing Authorization (BAC) to 'Read More' Post Deletion (BAC) |
Real Estate 7 Theme | Unauthenticated Privilege Escalation (BAC) to Administrator |
Real Estate Manager | Captcha Bypass (BAC) |
Recipe Card Blocks for Gutenberg & Elementor | Broken Access Control (BAC) |
Residential Address Detection | Option Update to Privilege Escalation (BAC) |
School Management System – SakolaWP | Cross-Site Request Forgery (CSRF) to Exam Setting Manipulation (BAC) |
Scratch & Win – Giveaways and Contests | Missing Authorization (BAC) to Unauthenticated Coupon Creation |
Search with Typesense | Path Traversal (BAC) |
Security & Malware scan by CleanTalk | Unauthenticated File Upload (BAC) |
Shopwarden | Cross-Site Request Forgery (CSRF) to Options Update (BAC) |
Show Me The Cookies | Unauthenticated Shortcode Execution (BAC) |
Simplified | File Upload (BAC) |
Slide Banners | Broken Access Control (BAC) |
Small Package Quotes – Unishippers Edition | Broken Access Control (BAC) |
SocialV Theme | Missing Authorization (BAC) to File Download (BAC) |
Sports Rankings and Lists | File Download (BAC) |
Starter Templates by FancyWP | Cross-Site Request Forgery (CSRF) to Plugin Installation (BAC) |
Sticky Header On Scroll | Broken Access Control (BAC) |
Strong Testimonials | Broken Access Control (BAC) |
Subscriptions & Memberships for PayPal | Cross-Site Request Forgery (CSRF) to Post Deletion (BAC) |
SVG Support | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Team | Missing Authorization (BAC) to Settings Update (BAC) |
Team Builder | Missing Authorization (BAC) to Settings Update (BAC) |
Templines Elementor Helper Core | Privilege Escalation (BAC) |
Theme File Duplicator | File Download (BAC) |
Theme File Duplicator | File Upload (BAC) |
The Ultimate WordPress Toolkit – WP Extended | Missing Authorization (BAC) to Unauthenticated Post Order Manipulation (BAC) |
Trash Duplicate and 301 Redirect | Missing Authorization (BAC) to Unauthenticated Post Deletion (BAC) |
Uix Shortcodes | Shortcode Execution (BAC) |
Ultimate Classified Listings | Cross-Site Request Forgery (CSRF) to Account Takeover (BAC) |
Uncode Core | Shortcode Execution (BAC) in uncode_get_medias |
Uncode Theme | File Read (BAC) in uncode_recordMedia |
Uncode Theme | Unauthenticated File Read (BAC) in uncode_admin_get_oembed |
VideoWhisper Live Streaming Integration | File Deletion (BAC) |
VideoWhisper Live Streaming Integration | File Download (BAC) |
VikBooking Hotel Booking Engine & PMS | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
Vitepos | Broken Access Control (BAC) |
WHMCS Client Area for WordPress by WHMpress | Options Update (BAC) |
WHMpress | Unauthenticated Local File Inclusion (LFi) to Options Update (BAC) |
WooCommerce Food - Restaurant Menu & Food ordering | Unauthenticated Shortcode Execution (BAC) from ids |
WooCommerce Support Ticket System | Missing Authorization (BAC) to Post Deletion (BAC) and Information Exposure |
WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates | Unauthenticated File Upload (BAC) |
WordPress FormCraft - Premium WordPress Form Builder plugin | Unauthenticated Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
WordPress Portfolio Builder – Portfolio Gallery | Missing Authorization (BAC) to Unauthenticated Portfolio Update |
WP Abstracts | Cross-Site Request Forgery (CSRF) to Account Deletion (BAC) |
WP All Import | Cross-Site Request Forgery (CSRF) to Imported Content Deletion (BAC) |
WP All Import Pro | Cross-Site Request Forgery (CSRF) to Imported Content Deletion (BAC) |
WP-Asambleas | Shortcode Execution (BAC) |
WP Directorybox Manager | Authentication Bypass (BAC) |
WP Find Your Nearest | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
wpForo Forum | File Read (BAC) in update |
WP Job Board Pro | Unauthenticated Privilege Escalation (BAC) from process_register |
WP Media Category Management | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
WP Project Manager | Missing Authorization (BAC) to Options Update (BAC) |
Wp Social | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon | Missing Authorization (BAC) to Settings Reset |
WP Table Manager | Missing Authorization (BAC) to Directory Traversal to Folder/File Name Private Disclosure |
WPvivid Backup and Migration | File Upload (BAC) from wpvivid_upload_file |
Zarinpal Paid Download | File Upload (BAC) |
Zox News Theme | Missing Authorization (BAC) to Options Modification |
ZoxPress Theme | Missing Authorization (BAC) to Options Deletion (BAC) |
ZoxPress Theme | Missing Authorization (BAC) to Options Update (BAC) |
WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
WP BAC & WordPress Broken Access Control reported in 2024: | 2024 |
WP BAC & WordPress Broken Access Control reported in 2025: | 649 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC MAR 2025: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.
We’re passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.