Scroll Top

WP BAC MAR 2025: Brutal 172 WP Broken Access Control

By Csaba, Miklós WP Security owl WAF 5 March 2025

WP BAC MAR 2025: WP BROKEN ACCESS CONTROL

WP BAC MAR 2025

WP Broken Access Control

Managed WordPress Security Report

Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC MAR 2025 is a -33% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.

WHO needs managed WP security? EVERYBODY!

Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC MAR 2025: WP Broken Access Control Patch Management.

SHOP NOW

The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:

3D Photo Gallery Missing Authorization (BAC) to Cross-Site Scripting (XSS)
A1POST.BG Shipping for Woo Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC)
ADFO Deserialization (BAC) of untrusted data
aDirectory Missing Authorization (BAC) to Post Deletion (BAC)
Admin and Site Enhancements (ASE) Pro Privilege Escalation (BAC)
Advanced Google reCAPTCHA Built-in Math CAPTCHA Bypass (BAC)
Affiliate Links Lite Missing Authorization (BAC) to Unauthenticated Import/Export and PHP Object Injection
AIO Performance Profiler, Monitor, Optimize, Compress & Debug Broken Access Control (BAC)
All-Images.ai File Upload (BAC)
Analytify Broken Access Control (BAC)
Animated Text Block Broken Access Control (BAC)
Apus Framework Options Update (BAC) in import_page_options
Atarim Content Deletion (BAC)
Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue Settings Change (BAC)
Avada Theme Unauthenticated Shortcode Execution (BAC)
Awesome Event Booking Broken Access Control (BAC)
Bit Assist Path Traversal (BAC) to File Read (BAC) from downloadResponseFile Function
Bit Assist Path Traversal (BAC) to File Read (BAC) from fileID Parameter
Book a Room Cross-Site Request Forgery (CSRF) to Settings Update (BAC)
Booking Calendar Unauthenticated Post-Confirmation Booking Manipulation (BAC)
BookPress – For Book Authors Broken Access Control (BAC)
Bricks Builder Theme Privilege Escalation (BAC) from create_autosave
Brizy File Upload (BAC) from storeUploads
Brizy Cross-Site Scripting (XSS) from SVG File Upload (BAC)
C9 Admin Dashboard Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Car Dealer Theme File Deletion (BAC) and Read (BAC)
Car Dealer Theme Missing Authorization (BAC) to Change (BAC) and JS-CSS Files Delete (BAC)
Car Dealer Theme Theme Option Update to Privilege Escalation (BAC)
CarSpot Theme Unauthenticated Password Reset/Account Takeover (BAC)
Chaty Pro File Upload (BAC)
Child Themes Helper Cross-Site Request Forgery (CSRF) to File Deletion (BAC)
Classified Listing Unauthenticated Settings Exposure (BAC)
Click Mag Theme Missing Authorization (BAC) to Options Deletion (BAC)
ClickWhale Cross-Site Request Forgery (CSRF) to Settings Change (BAC)
Contact Manager Unauthenticated Double File Extension Upload (BAC)
ConvertPlus Missing Authorization (BAC) to Options Update (BAC)
CURCY Unauthenticated Shortcode Execution (BAC) from get_products_price Function
Custom Post Type Date Archives Missing Authorization (BAC) to Unauthenticated Shortcode Execution (BAC)
Custom Related Posts Missing Authorization (BAC) to Private Post Search and Relation Updates
DefendWP Firewall Broken Access Control (BAC)
DHVC Form Unauthenticated Privilege Escalation (BAC)
Directorist Privilege Escalation (BAC) and Account Takeover (BAC) from OTP
DirectoryPress Frontend Cross-Site Request Forgery (CSRF) to Listing Status Update (BAC)
Disable Elementor Editor Translation Broken Access Control (BAC)
Distance Based Shipping Calculator Broken Access Control (BAC)
Distance Based Shipping Calculator Settings Change (BAC)
Download IP2Location Country Blocker Missing Authorization (BAC) to Unauthenticated Information Exposure from admin_init Function
DSGVO All in one for WP Cross-Site Request Forgery (CSRF) to Account Deletion (BAC)
EAN for WooCommerce Broken Access Control (BAC)
Email Verification for WooCommerce Authentication Bypass (BAC) from Shortcode
Embed RSS Shortcode Execution (BAC)
Enfold Theme Missing Authorization (BAC) to Private Information Disclosure in avia-export-classphp
Essential Blocks for Gutenberg Broken Access Control (BAC)
Eventer Missing Authorization (BAC) to Bookings Export
Eventer Missing Authorization (BAC) to Unauthenticated Event Ticket Download
Event Kikfyre Broken Access Control (BAC)
Events Manager Broken Access Control (BAC)
Event Tickets Missing Authorization (BAC) to Ticket Deletion (BAC)
Everest Forms Unauthenticated File Upload (BAC), Read (BAC), and Deletion (BAC)
Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets Broken Access Control (BAC)
Flexible Wishlist for WooCommerce Cross-Site Request Forgery (CSRF) to Wishlist Creation/Modification (BAC)
FoodBakery Authentication Bypass (BAC) in foodbakery_parse_request
FoodBakery Unauthenticated File Upload (BAC)
FoodBakery Unauthenticated Privilege Escalation (BAC) in foodbakery_registration_validation
Forex Calculators Missing Authorization (BAC) to Settings Update (BAC)
FormCraft 3 Missing Authorization (BAC) to Plugin Data Export in formcraft-mainphp
Fusion Builder Unauthenticated Shortcode Execution (BAC)
GetBookingsWP Privilege Escalation (BAC) from Account Takeover (BAC)
Gift Vouchers Missing Authorization (BAC) to Unauthenticated Price, Date, and Note Updates
Global Gallery - WordPress Responsive Gallery Shortcode Execution (BAC)
GlobalQuran Cross-Site Request Forgery (CSRF) to Settings Change (BAC)
GPX Viewer Path Traversal (BAC)
Helloprint File Deletion (BAC)
Helloprint File Deletion (BAC)
Houzez Property Feed Cross-Site Request Forgery (CSRF) to Property Feed Export Deletion (BAC)
Indeed API Cross-Site Request Forgery (CSRF) to Settings Change (BAC)
iNET Webkit Broken Access Control (BAC)
Keep Backup Daily File Download (BAC)
K Elements Unauthenticated Account Takeover (BAC)
Login Me Now Authentication Bypass (BAC)
LTL Freight Quotes – FreightQuote Edition Broken Access Control (BAC)
LTL Freight Quotes – GlobalTranz Edition Missing Authorization (BAC) to Unauthenticated Settings Update (BAC)
LTL Freight Quotes – Unishippers Edition Broken Access Control (BAC)
LTL Freight Quotes – Worldwide Express Edition Content Deletion (BAC)
Market Exporter Broken Access Control (BAC)
Media Library Folders Missing Authorization (BAC) to Plugin Settings Change (BAC)
Munk Sites Cross-Site Request Forgery (CSRF) to Plugin Installation (BAC)
Music Sheet Viewer File Read (BAC)
MyTicket Events Non-Arbitrary File Read (BAC)
Nextend Social Login Pro Authentication Bypass (BAC) from Apple OAuth provider
NextMove Lite Missing Authorization (BAC) to Deactivation Reason Submission
NHR Options Table Manager Deserialization (BAC) of untrusted data
Oliver POS Private Information Exposure to Privilege Escalation (BAC)
OnePress Theme Broken Access Control (BAC)
OneStore Sites Cross-Site Request Forgery (CSRF) to Plugin Installation (BAC)
Option Editor Cross-Site Request Forgery (CSRF) to Options Update (BAC)
Order Limit for WooCommerce Broken Access Control (BAC)
Page and Post Lister Content Deletion (BAC)
Paid Videochat Turnkey Site File Deletion (BAC)
Pallet Packaging for WooCommerce Broken Access Control (BAC)
Photo Gallery ( Responsive ) Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC)
Pie Register Premium Broken Access Control (BAC)
Plugin A/B Image Optimizer File Download (BAC)
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Path Traversal (BAC) to File Read (BAC) from template_via_url Function
PressMart Theme Unauthenticated Shortcode Execution (BAC)
PrivateContent Unauthenticated Account Takeover (BAC)
Puzzles Theme Missing Authorization (BAC) to Cross-Site Scripting (XSS)
Rank Math SEO Missing Authorization (BAC) to Schema Deletion (BAC)
RapidLoad Broken Access Control (BAC)
Raptive Ads Missing Authorization (BAC) to Unauthenticated Data/Settings Reset
Read More & Accordion Missing Authorization (BAC) to 'Read More' Post Deletion (BAC)
Real Estate 7 Theme Unauthenticated Privilege Escalation (BAC) to Administrator
Real Estate Manager Captcha Bypass (BAC)
Recipe Card Blocks for Gutenberg & Elementor Broken Access Control (BAC)
Residential Address Detection Option Update to Privilege Escalation (BAC)
School Management System – SakolaWP Cross-Site Request Forgery (CSRF) to Exam Setting Manipulation (BAC)
Scratch & Win – Giveaways and Contests Missing Authorization (BAC) to Unauthenticated Coupon Creation
Search with Typesense Path Traversal (BAC)
Security & Malware scan by CleanTalk Unauthenticated File Upload (BAC)
Shopwarden Cross-Site Request Forgery (CSRF) to Options Update (BAC)
Show Me The Cookies Unauthenticated Shortcode Execution (BAC)
Simplified File Upload (BAC)
Slide Banners Broken Access Control (BAC)
Small Package Quotes – Unishippers Edition Broken Access Control (BAC)
SocialV Theme Missing Authorization (BAC) to File Download (BAC)
Sports Rankings and Lists File Download (BAC)
Starter Templates by FancyWP Cross-Site Request Forgery (CSRF) to Plugin Installation (BAC)
Sticky Header On Scroll Broken Access Control (BAC)
Strong Testimonials Broken Access Control (BAC)
Subscriptions & Memberships for PayPal Cross-Site Request Forgery (CSRF) to Post Deletion (BAC)
SVG Support Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Team Missing Authorization (BAC) to Settings Update (BAC)
Team Builder Missing Authorization (BAC) to Settings Update (BAC)
Templines Elementor Helper Core Privilege Escalation (BAC)
Theme File Duplicator File Download (BAC)
Theme File Duplicator File Upload (BAC)
The Ultimate WordPress Toolkit – WP Extended Missing Authorization (BAC) to Unauthenticated Post Order Manipulation (BAC)
Trash Duplicate and 301 Redirect Missing Authorization (BAC) to Unauthenticated Post Deletion (BAC)
Uix Shortcodes Shortcode Execution (BAC)
Ultimate Classified Listings Cross-Site Request Forgery (CSRF) to Account Takeover (BAC)
Uncode Core Shortcode Execution (BAC) in uncode_get_medias
Uncode Theme File Read (BAC) in uncode_recordMedia
Uncode Theme Unauthenticated File Read (BAC) in uncode_admin_get_oembed
VideoWhisper Live Streaming Integration File Deletion (BAC)
VideoWhisper Live Streaming Integration File Download (BAC)
VikBooking Hotel Booking Engine & PMS Cross-Site Request Forgery (CSRF) to Settings Change (BAC)
Vitepos Broken Access Control (BAC)
WHMCS Client Area for WordPress by WHMpress Options Update (BAC)
WHMpress Unauthenticated Local File Inclusion (LFi) to Options Update (BAC)
WooCommerce Food - Restaurant Menu & Food ordering Unauthenticated Shortcode Execution (BAC) from ids
WooCommerce Support Ticket System Missing Authorization (BAC) to Post Deletion (BAC) and Information Exposure
WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates Unauthenticated File Upload (BAC)
WordPress FormCraft - Premium WordPress Form Builder plugin Unauthenticated Cross-Site Scripting (XSS) from SVG File Upload (BAC)
WordPress Portfolio Builder – Portfolio Gallery Missing Authorization (BAC) to Unauthenticated Portfolio Update
WP Abstracts Cross-Site Request Forgery (CSRF) to Account Deletion (BAC)
WP All Import Cross-Site Request Forgery (CSRF) to Imported Content Deletion (BAC)
WP All Import Pro Cross-Site Request Forgery (CSRF) to Imported Content Deletion (BAC)
WP-Asambleas Shortcode Execution (BAC)
WP Directorybox Manager Authentication Bypass (BAC)
WP Find Your Nearest Cross-Site Request Forgery (CSRF) to Settings Change (BAC)
wpForo Forum File Read (BAC) in update
WP Job Board Pro Unauthenticated Privilege Escalation (BAC) from process_register
WP Media Category Management Cross-Site Request Forgery (CSRF) to Settings Update (BAC)
WP Project Manager Missing Authorization (BAC) to Options Update (BAC)
Wp Social Cross-Site Request Forgery (CSRF) to Settings Update (BAC)
WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon Missing Authorization (BAC) to Settings Reset
WP Table Manager Missing Authorization (BAC) to Directory Traversal to Folder/File Name Private Disclosure
WPvivid Backup and Migration File Upload (BAC) from wpvivid_upload_file
Zarinpal Paid Download File Upload (BAC)
Zox News Theme Missing Authorization (BAC) to Options Modification
ZoxPress Theme Missing Authorization (BAC) to Options Deletion (BAC)
ZoxPress Theme Missing Authorization (BAC) to Options Update (BAC)
WP BAC & WordPress Broken Access Control reported in 2023: 931
WP BAC & WordPress Broken Access Control reported in 2024: 2024
WP BAC & WordPress Broken Access Control reported in 2025: 649
WHO needs managed WP Maintenance? EVERYBODY!

Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC MAR 2025: WP Broken Access Control Patch Management.

BUY NOW
Security is not a single-task job

Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.

ORDER NOW

Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.

Related Posts

BROKEN ACCESS CONTROL
96 Broken Access Control JUL 2023 Vulnerabilities
19 Jul 2023
BROKEN ACCESS CONTROL
Brutal WP BAC MAR 2024: 120 WP Broken Access Control
12 Mar 2024
BROKEN ACCESS CONTROL
WP BAC JAN 2025: Brutal 219 WP Broken Access Control
08 Jan 2025
BROKEN ACCESS CONTROL
BAC DEC 2023: 239 Broken Access Control DEC 2023 Hack
14 Dec 2023
BROKEN ACCESS CONTROL
71 Broken Access Control JUN 2023 Vulnerabilities
27 Jun 2023
BROKEN ACCESS CONTROL
WP BAC APR 2025: Brutal 185(!) WP Broken Access Control
03 Apr 2025
BROKEN ACCESS CONTROL
WP BAC JUL 2024: 163 Brutal WP Broken Access Control
11 Jul 2024
BROKEN ACCESS CONTROL
WP BAC FEB 2025: Brutal 258 WP Broken Access Control
05 Feb 2025
BROKEN ACCESS CONTROL
39 Broken Access Control MAR 2023 Vulnerabilities
27 Mar 2023
BROKEN ACCESS CONTROL
BAC NOV 2023: 94 Broken Access Control NOV 2023 Hack
16 Nov 2023
BROKEN ACCESS CONTROL
Brutal WP BAC JAN 2024: 117 WP Broken Access Control
18 Jan 2024
BROKEN ACCESS CONTROL
WP BAC AUG 2024: 172 Brutal WP Broken Access Control
15 Aug 2024
BROKEN ACCESS CONTROL
Brutal WP BAC MAY 2024: 272 WP Broken Access Control
14 May 2024
BROKEN ACCESS CONTROL
Brutal WP BAC APR 2024: 130 WP Broken Access Control
11 Apr 2024
BROKEN ACCESS CONTROL
WP BAC OCT 2024: 97 Brutal WP Broken Access Control
13 Oct 2024
owlpower.eu
Top Searches:
infected hacked migrate perfect pagespeed managed monitoring