Scroll Top

WP BAC NOV 2024: 264 Brutal WP Broken Access Control

By Csaba, Miklós WP Security owl WAF 13 November 2024

WP BAC NOV 2024: WP BROKEN ACCESS CONTROL

WP BAC NOV 2024

WP Broken Access Control

Tailored WordPress Security Report

Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC NOV 2024 is a +172% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for tailored WP Security.

WHO needs tailored WP security? EVERYBODY!

Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC NOV 2024: WP Broken Access Control Patch Management.

SHOP NOW

The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:

1-Click Login: Passwordless Authentication Broken Authentication (BAC)
3D Work In Progress Arbitrary File Deletion (BAC)
3D Work In Progress Arbitrary File Upload (BAC)
AADMY Unauthenticated Arbitrary Shortcode Execution (BAC)
ACF Images Search And Insert Arbitrary File Upload (BAC)
Acnoo Flutter API Account Takeover (BAC)
Adding drop down roles in registration Privilege Escalation (BAC)
aDirectory Arbitrary File Upload (BAC)
Advanced Advertising System PHP Object Injection (BAC)
Advanced Custom Fields Missing Authorization (BAC) on Option Changes (BAC)
Advanced Custom Fields Missing Authorization (BAC) to Private Information Disclosure
Advanced Custom Fields Missing Authorization (BAC) to Private Information Disclosure
Advanced Custom Fields PRO Missing Authorization (BAC) on Option Changes (BAC)
Advanced Custom Fields PRO Missing Authorization (BAC) to Private Information Disclosure
Advanced Custom Fields PRO Missing Authorization (BAC) to Private Information Disclosure
Affiliate Pro - Affiliate Program for WooCommerce & WordPress Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC)
Affiliator Arbitrary File Upload (BAC)
Aggregator Advanced Settings Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Ahime Image Printer Arbitrary File Download (BAC)
AI Image Generator for Your Content & Featured Images – AI Postpix Arbitrary File Upload (BAC)
Ajar in5 Embed Arbitrary File Upload (BAC)
All Post Contact Form Arbitrary File Upload (BAC)
AMP for WP Cross-Site Request Forgery to Privilege Escalation (BAC)
Analyse Uploads Arbitrary File Deletion (BAC)
App Builder Privilege Escalation (BAC) and Account Takeover (BAC) from Weak OTP
AppPresser Privilege Escalation (BAC) and Account Takeover (BAC) from Weak OTP
AR For Woocommerce Arbitrary File Upload (BAC)
AR For WordPress Arbitrary File Upload (BAC)
Automatic Translation Arbitrary File Upload (BAC)
AVIF & SVG Uploader Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Azz Anonim Posting Arbitrary File Upload (BAC)
Backup and Staging by WP Time Capsule PHP Object Injection (BAC)
Best Restaurant Menu by PriceListo Broken Access Control (BAC)
Bit File Manager Limited JavaScript File Upload (BAC)
Bit Form – Contact Form Plugin Improper Input Validation to Arbitrary File Read (BAC)
Black Widgets For Elementor Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Bold Page Builder Broken Access Control (BAC)
Bot for Telegram on WooCommerce Telegram Bot Token Disclosure to Authentication Bypass (BAC)
Branding Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Breeze Broken Access Control (BAC)
Bridge Core Missing Authorization (BAC) to Demo Import
Bstone Demo Importer Privilege Escalation (BAC)
BuddyPress Directory Traversal (BAC)
BuddyPress Better Registration Broken Authentication (BAC)
Bulk Change Role Privilege Escalation (BAC)
Bulk images optimizer Missing Authorization (BAC) to Plugin Options Update (BAC)
Calculated Fields Form HTML Injection (BAC)
Category Icon Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Code Explorer External File Read (BAC)ing
Contact Form 7 Telegram Missing Authorization (BAC) to Subscription Approve and Pause and Refuse
Cooked Pro Unauthenticated Arbitrary File Upload (BAC)
Creates 3D Flipbook, PDF Flipbook Arbitrary File Upload (BAC)
Crypto Authentication Bypass (BAC) from log_in
Crypto Authentication Bypass (BAC) from register
Crypto Cross-Site Request Forgery to Authentication Bypass (BAC)
CubeWP – All-in-One Dynamic Content Framework Broken Access Control (BAC)
Custom Icons for Elementor Arbitrary File Upload (BAC)
Debrandify Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Demo Importer Plus Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Digital Lottery Arbitrary File Upload (BAC)
Disc Golf Manager PHP Object Injection (BAC)
Download Monitor Missing Authorization (BAC) to API Key Manipulation
Download Monitor Missing Authorization (BAC) to Private Information Exposure
Download Plugin Missing Authorization (BAC) to User Metadata and Comment Download
DS.DownloadList PHP Object Injection (BAC)
Easy Demo Importer Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Easy Menu Manager Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Easy Post Types Missing Authorization (BAC) from Multiple Functions
Easy Post Types PHP Object Injection (BAC)
Echo RSS Feed Post Generator Plugin for WordPress Unauthenticated Privilege Escalation (BAC)
Editorial Assistant by Sovrn Missing Authorization (BAC) to Attachment Upload and Set Post Featured Image
EKC Tournament Manager Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC)
Elastik Page Builder Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Elemenda Cross-Site Scripting (XSS) from SVG File Upload (BAC)
ElementsReady Addons for Elementor Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Email Subscribers & Newsletters Arbitrary Shortcode Execution (BAC)
Empowerment Theme PHP Object Injection (BAC)
Enable Shortcodes inside Widgets,Comments and Experts Unauthenticated Arbitrary Shortcode Execution (BAC)
Exam Matrix Privilege Escalation (BAC)
Extensions by HocWP Team Authentication Bypass (BAC)
Feed Comments Number Arbitrary File Upload (BAC)
File Manager Pro Cross-Site Request Forgery to Arbitrary File Upload (BAC)
File Manager Pro Unauthenticated Backup File Download (BAC) and Upload
File Manager Pro Unauthenticated Limited JavaScript File Upload (BAC)
FileOrganizer Arbitrary File Upload (BAC)
Fonto Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Forminator Missing Authorization (BAC) to Form Update (BAC) and Creation
FREE DOWNLOAD MANAGER Arbitrary File Deletion (BAC)
Free Stock Photos Foter PHP Object Injection (BAC)
GERRYWORKS Post by Mail Privilege Escalation (BAC)
Giveaway Boost PHP Object Injection (BAC)
GiveWP Unauthenticated PHP Object Injection (BAC) to Remote Code Execution (RCE)
Greenshift – animation and page builder blocks Broken Access Control (BAC)
GRÜN spendino Spendenformular Arbitrary Option Update (BAC) to Privilege Escalation (BAC)
GutenKit Unauthenticated Arbitrary File Upload (BAC)
Happy Addons for Elementor Broken Access Control (BAC)
Hash Form Unauthenticated Limited File Upload (BAC)
HD Quiz – Save Results Light Broken Access Control (BAC)
Hello World Arbitrary File Read (BAC)
Htaccess File Editor Broken Access Control (BAC)
Hunk Companion Missing Authorization (BAC) to Unauthenticated Arbitrary Plugin Installation and Activation
HurryTimer Missing Authorization (BAC) to Arbitrary Post Publication
iBryl Switch User Account Takeover (BAC)
Image Map Pro Missing Authorization (BAC) to Map Project Add and Update and Delete
ImagePress Cross-Site Request Forgery to Plugin Settings Update (BAC)
ImagePress Missing Authorization (BAC) to Arbitrary Post Deletion (BAC) and Post Title Update (BAC)
Infinite-Scroll Cross-Site Request Forgery to Plugin Settings Update (BAC)
INK Official Arbitrary File Upload (BAC)
IP Loc8 PHP Object Injection (BAC)
JiangQie Free Mini Program Arbitrary File Upload (BAC)
Job Board Manager for WordPress Privilege Escalation (BAC)
Kata Plus Cross-Site Scripting (XSS) from SVG File Upload (BAC)
KB Support Missing Authorization (BAC) to Multiple Administrator Actions
KB Support Missing Authorization (BAC) to Unauthenticated Ticket Reply Exposure
Landing Page Cat Broken Access Control (BAC)
LatePoint Authentication Bypass (BAC)
Leyka Broken Access Control (BAC)
Linkz.ai Missing Authorization (BAC) to Plugin Settings Update (BAC)
Linkz.ai Missing Authorization (BAC) to Unauthenticated Plugin Settings Update (BAC)
LiteSpeed Cache Privilege Escalation (BAC)
LocateAndFilter Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Login Protection – Limit Failed Login Attempts IP Address Spoofing to Protection Mechanism Bypass (BAC)
MaanStore API Account Takeover (BAC)
Mapster WP Maps Incorrect Authorization to Arbitrary Options Update (BAC)
Marketing Automation by AZEXO Arbitrary File Upload (BAC)
Marketing Automation by AZEXO Privilege Escalation (BAC)
Masteriyo - LMS Missing Authorization (BAC) to Privilege Escalation (BAC)
Meetup Broken Authentication (BAC)
Miniorange OTP Verification with Firebase Authentication Bypass (BAC)
Miniorange OTP Verification with Firebase Privilege Escalation (BAC) from Registration due to Administrator Default User Role Value
Multiline files upload for contact form 7 Missing Authorization (BAC) to Plugin Deactivation
Multi Purpose Mail Form Arbitrary File Upload (BAC)
Multi Purpose Mail Form Arbitrary File Upload (BAC)
Multi Step Form Broken Access Control (BAC)
Mynx Page Builder Cross-Site Scripting (XSS) from SVG File Upload (BAC)
My Reading Library PHP Object Injection (BAC)
My Wp Brand – Hide menu & Hide Plugin Broken Access Control (BAC)
Namaste! LMS PHP Object Injection (BAC)
Nextend Social Login Pro Authentication Bypass (BAC)
Nice Backgrounds Arbitrary File Upload (BAC)
Notification for Telegram Missing Authorization (BAC)
Order Attachments for WooCommerce 2.0 Missing Authorization (BAC) to Limited Arbitrary File Upload (BAC)
Order Notification for Telegram Missing Authorization (BAC) to Unauthenticated Send Telegram Test Message
Pedalo Connector Authentication Bypass (BAC)
PegaPoll Arbitrary Option Update (BAC) to Privilege Escalation (BAC)
Photo Gallery Builder Broken Access Control (BAC) to Notice Dismissal
photokit Arbitrary File Upload (BAC)
Plugin Propagator Arbitrary File Upload (BAC)
Plug your WooCommerce into the largest catalog of customized print products from Helloprint Arbitrary File Upload (BAC)
Portfolleo Arbitrary File Upload (BAC)
Product Customizer Light Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Product Website Showcase Arbitrary File Upload (BAC)
ProfilePress Pro Authentication Bypass (BAC)
Property Lot Management System Arbitrary File Upload (BAC)
PublishPress Authors Insecure Direct Object Reference (IDOR) to Arbitrary User Email Update (BAC) and Account Takeover (BAC)
PWA Cross-Site Scripting (XSS) from SVG File Upload (BAC)
QA Analytics Missing Authorization (BAC) to Settings Update (BAC)
QS Dark Mode Cross-Site Scripting (XSS) from SVG File Upload (BAC)
R Animated Icon Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Rank Math SEO PHP Object Injection (BAC)
Rank Math SEO Missing Authorization (BAC) to Unauthenticated User and Term Metadata Insert, Update (BAC), and Delete
Read more By Adam Missing Authorization (BAC) to Read More Button Deletion (BAC)
Realty Workstation Account Takeover (BAC)
Recently PHP Object Injection (BAC)
Relogo Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Re:WP Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Robo Gallery Missing Authorization (BAC) to Private Gallery Title Disclosure
Rover IDX Missing Authorization (BAC) from Multiple Functions
Rover IDX Authentication Bypass (BAC) to Administrator
RS-Members Privilege Escalation (BAC)
RSVPMaker for Toastmasters Arbitrary File Upload (BAC)
SendGrid for WordPress Missing Authorization (BAC) to Log Deletion (BAC)
SEOPress Broken Access Control (BAC)
SEOPress Broken Access Control (BAC)
SEOPress Unauthenticated Broken Access Control (BAC)
Shipyaari Shipping Management PHP Object Injection (BAC)
Shortcodes AnyWhere Unauthenticated Arbitrary Shortcode Execution (BAC)
ShortPixel Image Optimizer Broken Access Control (BAC)
Signup Page Arbitrary Option Update (BAC) to Privilege Escalation (BAC)
Simple Custom Post Order Broken Access Control (BAC)
Simple Membership Open Redirection (BAC)
Simple User Registration Account Takeover (BAC)
Sirv Cross-Site Scripting (XSS) from SVG File Upload (BAC)
SiteBuilder Dynamic Components PHP Object Injection (BAC)
Slider Revolution Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Smart Manager Broken Access Control (BAC)
Social Web Suite Directory Traversal (BAC) to Arbitrary File Download (BAC)
Soumettre.fr Missing Authorization (BAC)
Sovratec Case Management Arbitrary File Upload (BAC)
Spice Starter Sites Missing Authorization (BAC) to Unauthenticated Demo Content Import
Stackable Unauthenticated CSS Injection (BAC)
Stacks Mobile App Builder Account Takeover (BAC)
Stacks Mobile App Builder Arbitrary File Upload (BAC)
Stars SMTP Mailer Arbitrary File Upload (BAC)
Sudan Payment Gateway for WooCommerce Arbitrary File Upload (BAC)
Suki Sites Import Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Sunshine Photo Cart Broken Access Control (BAC)
Sunshine Photo Cart Open Redirection (BAC)
SurveyJS: Drag & Drop WordPress Form Builder Arbitrary File Upload (BAC)
SVG Complete Cross-Site Scripting (XSS) from SVG File Upload (BAC)
TAKETIN To WP Membership PHP Object Injection (BAC)
Talkback PHP Object Injection (BAC)
Telecash Ricaricaweb PHP Object Injection (BAC)
Templately Broken Access Control (BAC)
Templately Broken Access Control (BAC)
Timetable and Event Schedule Missing Authorization (BAC)
Timetics Insecure Direct Object Reference (IDOR) to Unauthenticated Arbitrary User Password and Email Reset and Account Takeover (BAC)
Token Login Broken Authentication (BAC)
Training – Courses Arbitrary File Upload (BAC)
Uix Shortcodes Unauthenticated Arbitrary Shortcode Execution (BAC)
UltimateAI Authentication Bypass (BAC)
UltimateAI Limited User Password Change (BAC) due to Improper Empty and Missing Default Value Check
UltraPress Theme PHP Object Injection (BAC)
Unseen Blog Theme PHP Object Injection (BAC)
UserPlus Registration Form Update (BAC) to Privilege Escalation (BAC)
User Toolkit Account Takeover (BAC)
Verbalize WP Arbitrary File Upload (BAC)
WatchTowerHQ Authentication Bypass (BAC)
WC Marketplace Cross-Site Request Forgery to Vendor Update (BAC)s
WC Marketplace Missing Authorization (BAC) to Forged Vendor ProFile Deletion (BAC) Email Sending
Wechat Social login Authentication Bypass (BAC)
Wechat Social login Unauthenticated Arbitrary File Upload (BAC)
WooCommerce Unauthenticated HTML Injection (BAC)
Woocommerce Custom Profile Picture Arbitrary File Upload (BAC)
WooCommerce Order Proposal Privilege Escalation (BAC) from Order Proposal
WooCommerce PDF Invoices & Packing Slips Broken Access Control (BAC)
Woocommerce Product Design Arbitrary File Deletion (BAC)
Woocommerce Product Design Arbitrary File Download (BAC)
Woocommerce Product Design Arbitrary File Upload (BAC)
WooCommerce UPS Shipping – Live Rates and Access Points Missing Authorization (BAC) to Plugin API key reset
Woostagram Connect Arbitrary File Upload (BAC)
WordPress Comments Import & Export Arbitrary File Read (BAC) from Directory Traversal (BAC)
WordPress File Upload (BAC) Unauthenticated Path Traversal to Arbitrary File Read (BAC) and Deletion (BAC) in wfu_file_downloaderphp
WordPress Gallery Plugin – Limb Image Gallery Arbitrary File Download (BAC)
WordPress Gallery Plugin – Limb Image Gallery Arbitrary File Upload (BAC)
WordPress Meta Data and Taxonomies Filter (MDTF) Bypass (BAC)
WordPress Stripe Donation and Payment Plugin Broken Access Control (BAC)
WP 2FA with Telegram Authentication Bypass (BAC)
WP 2FA with Telegram Two-Factor Authentication Bypass (BAC)
WP Adminify Cross-Site Scripting (XSS) from SVG File Upload (BAC)
WP Blocks Hub Cross-Site Scripting (XSS) from SVG File Upload (BAC)
WP Booking System Broken Access Control (BAC)
WP Cleanup and Basic Functions Cross-Site Scripting (XSS) from SVG File Upload (BAC)
WPC Shop as a Customer for WooCommerce PHP Object Injection (BAC)
WPC Smart Messages for WooCommerce Missing Authorization (BAC) to Message Activation and Deactivation
wpDiscuz Authentication Bypass (BAC)
WP donimedia carousel Arbitrary File Upload (BAC)
WP Dropbox Dropins Arbitrary File Upload (BAC)
WP Hotel Booking Arbitrary File Upload (BAC)
WP Popup Builder Unauthenticated Arbitrary Shortcode Execution (BAC)
WP REST API FNS Account Takeover (BAC)
WP REST API FNS Arbitrary File Upload (BAC)
WP RSS Aggregator Missing Authorization (BAC)
WPSchoolPress Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) and Privilege Escalation (BAC)
Wp Social Authentication Bypass (BAC)
WPS Telegram Chat Missing Authorization (BAC) to Private Information Exposure
WP ULike Cross-Site Request Forgery to Statistic Deletion (BAC)
WP Users Masquerade Authentication Bypass (BAC)
WP VR Broken Access Control (BAC)
WP VR Broken Access Control (BAC)
Wux Blog Editor Authentication Bypass (BAC) to Administrator
Wux Blog Editor Unauthenticated Arbitrary File Upload (BAC)
Youzify Missing Authorization (BAC) to Arbitrary Attachment Deletion (BAC)
Zita Elementor Site Library Cross-Site Scripting (XSS) from SVG File Upload (BAC)
WP BAC & WordPress Broken Access Control reported in 2023: 931
WP BAC & WordPress Broken Access Control reported in 2024: 1600
WHO needs tailored WP Maintenance? EVERYBODY!

Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC NOV 2024: WP Broken Access Control Patch Management.

BUY NOW
Security is not a single-task job

Need tailored WP Security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.

ORDER NOW

Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.

Related Posts

BROKEN ACCESS CONTROL
54 Broken Access Control MAY 2023 Vulnerabilities
23 May 2023
BROKEN ACCESS CONTROL
BAC AUG 2023: 71 Broken Access Control AUG 2023
17 Aug 2023
BROKEN ACCESS CONTROL
Brutal WP BAC FEB 2024: 93 WP Broken Access Control
14 Feb 2024
BROKEN ACCESS CONTROL
WP BAC JUL 2024: 163 Brutal WP Broken Access Control
11 Jul 2024
BROKEN ACCESS CONTROL
Brutal WP BAC APR 2024: 130 WP Broken Access Control
11 Apr 2024
BROKEN ACCESS CONTROL
BAC NOV 2023: 94 Broken Access Control NOV 2023 Hack
16 Nov 2023
BROKEN ACCESS CONTROL
25 Broken Access Control FEB 2023
23 Feb 2023
BROKEN ACCESS CONTROL
WP BAC DEC 2024: Brutal 205 WP Broken Access Control
05 Dec 2024
BROKEN ACCESS CONTROL
WP BAC AUG 2024: 172 Brutal WP Broken Access Control
15 Aug 2024
BROKEN ACCESS CONTROL
71 Broken Access Control JUN 2023 Vulnerabilities
27 Jun 2023
BROKEN ACCESS CONTROL
BAC OCT 2023: 69 Broken Access Control OCT 2023 Hack
16 Oct 2023
BROKEN ACCESS CONTROL
BAC DEC 2023: 239 Broken Access Control DEC 2023 Hack
14 Dec 2023
BROKEN ACCESS CONTROL
39 Broken Access Control MAR 2023 Vulnerabilities
27 Mar 2023
BROKEN ACCESS CONTROL
WP BAC JUN 2024: 113 Brutal WP Broken Access Control
11 Jun 2024
BROKEN ACCESS CONTROL
Brutal WP BAC MAR 2024: 120 WP Broken Access Control
12 Mar 2024
owlpower.eu
owlpower.eu
owlpower.eu
16+ years of owlsome experience
We're on an empowering mission for website owners, who desire not to be transformed forcefully into IT experts.