WP BAC MAY 2024
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC MAY 2024 is a +109% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC MAY 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
Checkout Payment Gateway for WooCommerce | Missing Authorisation (BAC) via sniff_ins |
5 Stars Rating Funnel | Arbitrary Content Deletion (BAC) |
5 Stars Rating Funnel | Broken Access Control (BAC) |
Academy LMS | Broken Access Control (BAC) |
Accountra Theme | Broken Access Control (BAC) |
ActiveDEMAND | Arbitrary File Upload (BAC) |
Active Products Tables for WooCommerce | Broken Access Control (BAC) |
Advanced Local Pickup for WooCommerce | Broken Access Control (BAC) |
Advanced Local Pickup for WooCommerce | Broken Access Control (BAC) |
Advanced Post Block Post Grid for WordPress block editor | Missing Authorisation (BAC) to Information Disclosure |
Advanced Search | Shortcode Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
Advanced Testimonial Carousel for Elementor | Broken Access Control (BAC) |
AI Post Generator | AutoWriter | Broken Access Control (BAC) |
All in One Video Gallery | Broken Access Control (BAC) |
Althea WP Theme | Broken Access Control (BAC) |
Announcer – Notification & message bars | Broken Access Control (BAC) |
Appointment Hour Booking | Captcha Bypass (BAC) |
AppPresser | Broken Access Control (BAC) |
Arconix FAQ | Broken Access Control (BAC) |
Arconix Shortcodes | Broken Access Control (BAC) |
ARForms | Arbitrary File Deletion (BAC) |
ARForms | Arbitrary Plugin Activation/Deactivation (BAC) |
ARForms Form Builder | Broken Access Control (BAC) |
ARForms Form Builder | Missing Authorisation (BAC) to Arbitrary Option Deletion (BAC) |
ARMember | Broken Access Control (BAC) |
Aspose.Words Exporter | Broken Access Control (BAC) |
Auto Poster | Arbitrary File Upload (BAC) |
AWP Classifieds | Broken Access Control (BAC) |
Backup Migration | Broken Access Control (BAC) |
BackWPup | Unauthenticated Backup Download (BAC) |
Barcode Scanner with Inventory & Order Manager | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
Barcode Scanner with Inventory & Order Manager | Unauthenticated Broken Access Control (BAC) |
Barcode Scanner with Inventory & Order Manager | Unauthenticated Privilege Escalation (BAC) |
BizPrint | Broken Access Control (BAC) |
BookingPress | Arbitrary File Upload (BAC) |
Booking Ultra Pro | Privilege Escalation (BAC) |
Boostify Header Footer Builder for Elementor | Broken Access Control (BAC) |
BP Better Messages | Broken Authentication (BAC) |
Bricksforge | Unauthenticated Arbitrary WordPress Setting Deletion (BAC) |
Brite Theme | Broken Access Control (BAC) |
BuddyForms | Arbitrary File Read (BAC) and Server-Side Request Forgery (SSRF) |
Captcha by BestWebSoft | Captcha Bypass (BAC) |
Chauffeur Taxi Booking System for WordPress | Broken Authentication (BAC) |
Church Admin | Arbitrary File Upload (BAC) |
Church Admin | Broken Access Control (BAC) |
Classified Listing | Missing Authorisation (BAC) to Arbitrary Attachment Deletion (BAC) |
Classified Listing | Cross-Site Request Forgery (CSRF) to Account Takeover via rtcl_Update (BAC)_user_account |
Classified Listing | Missing Authorisation (BAC) |
Client Dash | Broken Access Control (BAC) |
Clone | Broken Access Control (BAC) |
Colibri WP Theme | Broken Access Control (BAC) |
Contact Form & Lead Form Elementor Builder | Missing Authorisation (BAC) |
Content Control | Missing Authorisation (BAC) to Private Private Information Exposure |
Contest Gallery | Arbitrary File Deletion (BAC) |
Conversational Forms for ChatBot | Arbitrary File Download (BAC) |
CookieHub | Broken Access Control (BAC) |
Country State City Dropdown CF7 | Missing Authorisation (BAC) |
Customer Reviews for WooCommerce | Missing Authorisation (BAC) to Arbitrary Email Sending |
Customer Reviews for WooCommerce | Missing Authorisation (BAC) to Coupon Search |
Custom Order Statuses for WooCommerce | Broken Access Control (BAC) |
Custom Thank You Page Customize For WooCommerce by Binary Carpenter | Broken Access Control (BAC) |
Dashboard Welcome for Elementor | Broken Access Control (BAC) |
Data Tables Generator by Supsystic | Broken Access Control (BAC) |
Delete Custom Fields | Cross-Site Request Forgery (CSRF) to Post Meta Deletion (BAC) |
Demo My WordPress | Unauthenticated Privilege Escalation (BAC) |
Download (BAC) Manager | File Password Lock Bypass (BAC) |
Duplicate Post | Broken Access Control (BAC) |
Easy Accept Payments | Broken Access Control (BAC) |
Easy Property Listings | Broken Access Control (BAC) |
Easy Social Share Buttons | Multiple Broken Access Control (BAC) |
EleForms | Missing Authorisation (BAC) to Private Private Information Exposure |
Element Pack Pro | Arbitrary File Read (BAC) and Phar Deserialization |
Elespare | Missing Authorisation (BAC) to Arbitrary Post Creation (BAC) |
Elevate WP Theme | Broken Access Control (BAC) |
Email Subscribers & Newsletters | Broken Access Control (BAC) |
EmbedPress | Broken Access Control (BAC) |
EmbedPress | Broken Access Control (BAC) |
Enhanced Text Widget | Broken Access Control (BAC) |
ENL Newsletter | Campaign Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
EnvíaloSimple | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
EPROLO Dropshipping | Broken Access Control (BAC) |
eRoom – Zoom Meetings & Webinar | Missing Authorisation (BAC) to Private Information Exposure |
Everest Backup | Arbitrary File Upload (BAC) |
Evergreen Content Poster | Broken Access Control (BAC) |
Exclusive Addons Elementor | Broken Access Control (BAC) |
Fatal Error Notify | Broken Access Control (BAC) |
Filter Custom Fields & Taxonomies Light | Broken Access Control (BAC) |
Five Star Restaurant Reservations | Broken Access Control (BAC) |
Flexible Checkout Fields for WooCommerce | Broken Access Control (BAC) |
Flexible Shipping | Broken Access Control (BAC) |
Forminator | Unauthenticated Cross-Site Scripting (XSS) via File Upload (BAC) |
GG Woo Feed for WooCommerce | Broken Access Control (BAC) |
Giveaways and Contests by RafflePress | IP Restriction Bypass (BAC) |
Hugo WP Theme | Broken Access Control (BAC) |
Hummingbird | Broken Access Control (BAC) |
Image Watermark | Missing Authorisation (BAC) to Watermark Modification |
Import XML and RSS Feeds | Arbitrary File Upload (BAC) |
Inline Related Posts | Password Protected Post Read (BAC) |
Instant Images | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
InstaWP Connect | Unauthenticated Arbitrary File Upload (BAC)Patch priority: high Fixed |
InstaWP Connect | Broken Access Control (BAC) |
Integrate Google Drive | Broken Access Control (BAC) |
Integrate Google Drive | Broken Access Control (BAC) |
Ivory Search | Missing Authorisation (BAC) to Index Creation (BAC) |
JS Help Desk – Best Help Desk & Support Plugin | Broken Access Control (BAC) |
KB Support | Broken Access Control (BAC) |
Knowledge Base documentation & wiki plugin – BasePress | Broken Access Control (BAC) |
LearnPress | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
Load More Anything | Broken Access Control (BAC) |
LoginPress Pro | Captcha Bypass (BAC) |
LoginPress Pro | Unauthenticated License Activation/Deactivation (BAC) |
Login with phone number | Broken Access Control (BAC) |
Login with phone number | Privilege Escalation (BAC) |
Maintenance Mode by helderk | IP Bypass (BAC) |
Master Addons for Elementor | Broken Access Control (BAC) on Duplicate Post |
Masteriyo LMS | Privilege Escalation (BAC) |
MasterStudy LMS | Unauthenticated Privilege Escalation (BAC) via stm_lms_register AJAX Action |
MaxGalleria | Missing Authorisation (BAC) |
Mega Addons For Elementor | Broken Access Control (BAC) |
Metform Elementor Contact Form Builder | Broken Access Control (BAC) |
MP3 Audio Player for Music, Radio & Podcast by Sonaar | Arbitrary File Download (BAC) |
Multi Currency For WooCommerce | Broken Access Control (BAC) |
MyRewards | Broken Access Control (BAC) |
Newsletters | Arbitrary File Upload (BAC) |
News Wall | Cross-Site Request Forgery (CSRF) to Plugin Settings Update (BAC) |
NextGEN Gallery | Missing Authorisation (BAC) to Unauthenticated Information Disclosure |
NPS computy | Results Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
Olive One Click Demo Import | Arbitrary File Download (BAC) |
Open Close WooCommerce Store | Broken Access Control (BAC) |
OrderConvo | Unauthenticated API Access (BAC) to Arbitrary File Upload (BAC) |
Order Limit for WooCommerce | Broken Access Control (BAC) |
Otter Gutenberg Block | Limited File Upload (BAC) to Cross-Site Scripting (XSS) |
Ovic Addon Toolkit | Broken Access Control (BAC) |
Ovic Responsive WPBakery | Broken Access Control (BAC) |
Page Builder: Live Composer | Broken Access Control (BAC) |
Pardot | Broken Access Control (BAC) |
Pathway Theme | Broken Access Control (BAC) |
Payment Gateway Based Fees and Discounts for WooCommerce | Broken Access Control (BAC) |
PeproDev Ultimate Invoice | Broken Access Control (BAC) |
Photo Gallery by 10Web | Broken Access Control (BAC) |
Piotnet Addons For Elementor Pro | Unauthenticated Arbitrary Post/Page Deletion (BAC) |
Pocket News Generator | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
Podlove Podcast Publisher | Broken Access Control (BAC) |
Podlove Podcast Publisher | Broken Access Control (BAC) |
Poll Maker | Missing Authorisation (BAC) to Unauthenticated Private Email Enumeration |
Poll Maker | Missing Authorisation (BAC) to Unauthenticated Cross-Site Scripting (XSS) |
Pop up | Broken Access Control (BAC) |
Popup Anything | Broken Access Control (BAC) |
Popup box | Missing Authorisation (BAC) to Private Information Exposure |
Popup by Supsystic | Broken Access Control (BAC) |
Post Grid | Unauthenticated Password Protected Posts Access (BAC) |
Post Type Builder (PTB) | Arbitrary Post/Page Creation (BAC) |
PostX – Gutenberg Blocks for Post Grid | Post/Page Duplication (BAC) |
PPOM for WooCommerce | Unauthenticated Arbitrary File Upload (BAC) via ppom_Upload (BAC)_file |
Premmerce Product Filter for WooCommerce | Broken Access Control (BAC) |
Prime Slider – Addons For Elementor | Broken Access Control (BAC) |
Prime Slider – Addons For Elementor | Broken Access Control (BAC) |
Print Invoice & Delivery Notes for WooCommerce | Broken Access Control (BAC) |
Products, Order & Customers Export for WooCommerce | Broken Access Control (BAC) |
Product Sort and Display for WooCommerce | Missing Authorisation (BAC) |
Profile Builder | Bypass (BAC) |
ProfileGrid | Group Members Limit Bypass (BAC) |
ProfileGrid | Missing Authorisation (BAC) |
PropertyHive | Missing Authorisation (BAC) to Arbitrary Post Deletion (BAC) |
Quick Featured Images | Missing Authorisation (BAC) to Arbitrary Thumbnail Deletion (BAC) |
Redirect Redirection | Broken Access Control (BAC) |
Relevanssi | Missing Authorisation (BAC) to Unauthenticated Count Option Update (BAC) |
Relevanssi Premium | Missing Authorisation (BAC) to Unauthenticated Count Option Update (BAC) |
Responsive Lightbox | Broken Access Control (BAC) |
Responsive Theme | Missing Authorisation (BAC) to HMTL Injection |
Restrict Content | Broken Access Control (BAC) |
Reviews Plus | Broken Access Control (BAC) |
RomethemeForm For Elementor | Broken Access Control (BAC) |
Royal Elementor Addons | IP Bypass (BAC) |
Royal Elementor Addons | Unauthenticated Limited File Upload (BAC) |
RSS Redirect & Feedburner Alternative | Broken Access Control (BAC) |
s2Member Pro | Privilege Escalation (BAC) |
Salon booking system | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
Save as PDF plugin by Pdfcrowd | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
SchedulePress | Broken Access Control (BAC) |
Secure Copy Content Protection and Content Locking | Broken Access Control (BAC) |
Secure Copy Content Protection and Content Locking | Broken Access Control (BAC) |
Sendinblue for WooCommerce | Arbitrary File Download (BAC) and Deletion (BAC) |
Send PDF for Contact Form 7 | Missing Authorisation (BAC) |
Shared Files | Broken Access Control (BAC) |
Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy | Arbitrary Content Deletion (BAC) |
Sharkdropship for AliExpress Dropship and Affiliate | Missing Authorisation (BAC) to Unauthenticated Arbitrary Post Deletion (BAC) |
Shortcode Addons | Broken Access Control (BAC) |
ShortPixel Adaptive Images | Broken Access Control (BAC) |
ShortPixel Critical CSS | Broken Access Control (BAC) |
Simple Buttons Creator | Arbitrary Button Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
Simple Registration for WooCommerce | Unauthenticated Privilege Escalation (BAC) |
Sirv | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimiser | Missing Authorisation (BAC) |
Smart Forms | Broken Access Control (BAC) |
Smart Forms | Edit Entries via Broken Access Control (BAC) |
Smart Online Order for Clover | Cross-Site Request Forgery (CSRF) Leading to Coupon Creation/Modification (BAC) |
Smart Slider 3 | Missing Authorisation (BAC) to Limited File Upload (BAC) |
Social Media & Share Icons | Broken Access Control (BAC) |
Social Pug | Unauthenticated Password Protected Posts Access (BAC) |
Social Share Icons & Social Share Buttons | Broken Access Control (BAC) |
Social Share Icons & Social Share Buttons | Broken Access Control (BAC) lead to Notice Dismissal |
Social Snap | Broken Access Control (BAC) |
Soledad Theme | Broken Access Control (BAC) |
Soledad Theme | Unauthenticated Broken Access Control (BAC) |
Speed Optimiser | Broken Access Control (BAC) |
SSL Mixed Content Fix | Broken Access Control (BAC) |
SSU | Broken Access Control (BAC) |
Startupzy Theme | Broken Access Control (BAC) |
Sticky Anything | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
Subscribe2 | Broken Access Control (BAC) |
Support Genix | Broken Access Control (BAC) lead to Arbitrary File Upload (BAC) |
Template Kit – Import | Cross-Site Scripting (XSS) via template Upload (BAC) |
Theme My Login | Broken Access Control (BAC) |
Themify – WooCommerce Product Filter | Filter Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
The Plus Blocks for Block Editor | Gutenberg | Broken Access Control (BAC) |
Total Poll Lite | Broken Access Control (BAC) |
Tracking Code Manager | Broken Access Control (BAC) |
TrackShip for WooCommerce | Broken Access Control (BAC) |
Ultimate Posts Widget | Broken Access Control (BAC) |
User Registration | Privilege Escalation (BAC) |
User Registration | Missing Authorisation (BAC) to Unauthenticated Media Deletion (BAC) |
Vertice Theme | Broken Access Control (BAC) |
Vision Interactive | Broken Access Control (BAC) |
Vitepos | Broken Access Control (BAC) |
VK Block Patterns | Broken Access Control (BAC) |
WC Marketplace | Broken Access Control (BAC) |
weForms | Form Submission Restriction Bypass (BAC) |
Welcart e Commerce | Broken Access Control (BAC) |
WooCommerce | Private/Draft Products Access (BAC) |
WooCommerce Cart Abandonment Recovery | Templates/Abandoned Orders Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels | Missing Authorisation (BAC) to Unauthenticated Settings Reset |
WordPress Backup & Migration | Missing Authorisation (BAC) to Directory Traversal |
WordPress Gallery Exporter | Arbitrary File Download (BAC) |
WordPress Meta Data and Taxonomies Filter (MDTF) | Broken Access Control (BAC) |
WP2LEADS | Broken Access Control (BAC) |
WP Access (BAC)ibility Helper (WAH) | Broken Access Control (BAC) |
WPC Frequently Bought Together for WooCommerce | Broken Access Control (BAC) |
WPC Grouped Product for WooCommerce | Broken Access Control (BAC) |
WP Club Manager | Broken Access Control (BAC) |
WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | Missing Authorisation (BAC) to Unauthenticated Arbitrary Post Deletion (BAC) |
WP Cost Estimation & Payment Forms Builder | Broken Access Control (BAC) |
WP Datepicker | Arbitrary Options Update (BAC) to Privilege Escalation (BAC) |
wpDiscuz | Cross-Site Scripting (XSS) via Upload (BAC)ed Image Alternative Text |
WP Eggdrop | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
WP GoToWebinar | Broken Access Control (BAC) |
WP LinkedIn Auto Publish | Broken Access Control (BAC) |
WP Lister Lite for eBay | Arbitrary File Upload (BAC) |
WP Page Post Widget Clone | Broken Access Control (BAC) |
WP Photo Album Plus | Arbitrary File Upload (BAC) |
WPPizza | Broken Access Control (BAC) |
WP Poll Maker | Arbitrary File Deletion (BAC) |
WP Poll Maker | Arbitrary File Upload (BAC) |
WP Radio – Worldwide Online Radio Stations Directory for WordPress | Missing Authorisation (BAC) |
WP Social Comments | Broken Access Control (BAC) |
WP Sort Order | Broken Access Control (BAC) |
WP Stateless | Missing Authorisation (BAC) to Limited Arbitrary Options Update (BAC) |
WP Time Slots Booking Form | Broken Access Control (BAC) |
Wp Ultimate Review | Broken Access Control (BAC) on Review |
WPZOOM Social Feed Widget & Block | Missing Authorisation (BAC) to Instagram Image Deletion (BAC) |
WZone | Arbitrary SQL Update (BAC) Execution |
WZone | Privilege Escalation (BAC) |
WZone | Site Wide Broken Access Control (BAC) |
WZone | Unauthenticated Broken Access Control (BAC) |
XStore Core | Limited Arbitrary File Download (BAC) |
XStore Core | Limited Arbitrary File Upload (BAC) |
XStore Core | Multiple Broken Access Control (BAC) |
XStore Core | Unauthenticated Privilege Escalation (BAC) |
XStore Theme | Arbitrary Option Update (BAC) |
XStore Theme | Broken Access Control (BAC) |
XStore Theme | Unauthenticated Broken Access Control (BAC) |
Zero Spam | Bypass (BAC) Spam Protection |
WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
WP BAC & WordPress Broken Access Control reported in 2024: | 615 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC MAY 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.
We’re passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.