WP BAC NOV 2024
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC NOV 2024 is a +172% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC NOV 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| 1-Click Login: Passwordless Authentication | Broken Authentication (BAC) |
| 3D Work In Progress | Arbitrary File Deletion (BAC) |
| 3D Work In Progress | Arbitrary File Upload (BAC) |
| AADMY | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| ACF Images Search And Insert | Arbitrary File Upload (BAC) |
| Acnoo Flutter API | Account Takeover (BAC) |
| Adding drop down roles in registration | Privilege Escalation (BAC) |
| aDirectory | Arbitrary File Upload (BAC) |
| Advanced Advertising System | PHP Object Injection (BAC) |
| Advanced Custom Fields | Missing Authorisation (BAC) on Option Changes (BAC) |
| Advanced Custom Fields | Missing Authorisation (BAC) to Private Information Disclosure |
| Advanced Custom Fields | Missing Authorisation (BAC) to Private Information Disclosure |
| Advanced Custom Fields PRO | Missing Authorisation (BAC) on Option Changes (BAC) |
| Advanced Custom Fields PRO | Missing Authorisation (BAC) to Private Information Disclosure |
| Advanced Custom Fields PRO | Missing Authorisation (BAC) to Private Information Disclosure |
| Affiliate Pro - Affiliate Program for WooCommerce & WordPress | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| Affiliator | Arbitrary File Upload (BAC) |
| Aggregator Advanced Settings | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Ahime Image Printer | Arbitrary File Download (BAC) |
| AI Image Generator for Your Content & Featured Images – AI Postpix | Arbitrary File Upload (BAC) |
| Ajar in5 Embed | Arbitrary File Upload (BAC) |
| All Post Contact Form | Arbitrary File Upload (BAC) |
| AMP for WP | Cross-Site Request Forgery to Privilege Escalation (BAC) |
| Analyse Uploads | Arbitrary File Deletion (BAC) |
| App Builder | Privilege Escalation (BAC) and Account Takeover (BAC) from Weak OTP |
| AppPresser | Privilege Escalation (BAC) and Account Takeover (BAC) from Weak OTP |
| AR For Woocommerce | Arbitrary File Upload (BAC) |
| AR For WordPress | Arbitrary File Upload (BAC) |
| Automatic Translation | Arbitrary File Upload (BAC) |
| AVIF & SVG Uploader | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Azz Anonim Posting | Arbitrary File Upload (BAC) |
| Backup and Staging by WP Time Capsule | PHP Object Injection (BAC) |
| Best Restaurant Menu by PriceListo | Broken Access Control (BAC) |
| Bit File Manager | Limited JavaScript File Upload (BAC) |
| Bit Form – Contact Form Plugin | Improper Input Validation to Arbitrary File Read (BAC) |
| Black Widgets For Elementor | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Bold Page Builder | Broken Access Control (BAC) |
| Bot for Telegram on WooCommerce | Telegram Bot Token Disclosure to Authentication Bypass (BAC) |
| Branding | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Breeze | Broken Access Control (BAC) |
| Bridge Core | Missing Authorisation (BAC) to Demo Import |
| Bstone Demo Importer | Privilege Escalation (BAC) |
| BuddyPress | Directory Traversal (BAC) |
| BuddyPress Better Registration | Broken Authentication (BAC) |
| Bulk Change Role | Privilege Escalation (BAC) |
| Bulk images optimiser | Missing Authorisation (BAC) to Plugin Options Update (BAC) |
| Calculated Fields Form | HTML Injection (BAC) |
| Category Icon | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Code Explorer | External File Read (BAC)ing |
| Contact Form 7 Telegram | Missing Authorisation (BAC) to Subscription Approve and Pause and Refuse |
| Cooked Pro | Unauthenticated Arbitrary File Upload (BAC) |
| Creates 3D Flipbook, PDF Flipbook | Arbitrary File Upload (BAC) |
| Crypto | Authentication Bypass (BAC) from log_in |
| Crypto | Authentication Bypass (BAC) from register |
| Crypto | Cross-Site Request Forgery to Authentication Bypass (BAC) |
| CubeWP – All-in-One Dynamic Content Framework | Broken Access Control (BAC) |
| Custom Icons for Elementor | Arbitrary File Upload (BAC) |
| Debrandify | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Demo Importer Plus | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Digital Lottery | Arbitrary File Upload (BAC) |
| Disc Golf Manager | PHP Object Injection (BAC) |
| Download Monitor | Missing Authorisation (BAC) to API Key Manipulation |
| Download Monitor | Missing Authorisation (BAC) to Private Information Exposure |
| Download Plugin | Missing Authorisation (BAC) to User Metadata and Comment Download |
| DS.DownloadList | PHP Object Injection (BAC) |
| Easy Demo Importer | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Easy Menu Manager | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Easy Post Types | Missing Authorisation (BAC) from Multiple Functions |
| Easy Post Types | PHP Object Injection (BAC) |
| Echo RSS Feed Post Generator Plugin for WordPress | Unauthenticated Privilege Escalation (BAC) |
| Editorial Assistant by Sovrn | Missing Authorisation (BAC) to Attachment Upload and Set Post Featured Image |
| EKC Tournament Manager | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
| Elastik Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Elemenda | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| ElementsReady Addons for Elementor | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Email Subscribers & Newsletters | Arbitrary Shortcode Execution (BAC) |
| Empowerment Theme | PHP Object Injection (BAC) |
| Enable Shortcodes inside Widgets,Comments and Experts | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Exam Matrix | Privilege Escalation (BAC) |
| Extensions by HocWP Team | Authentication Bypass (BAC) |
| Feed Comments Number | Arbitrary File Upload (BAC) |
| File Manager Pro | Cross-Site Request Forgery to Arbitrary File Upload (BAC) |
| File Manager Pro | Unauthenticated Backup File Download (BAC) and Upload |
| File Manager Pro | Unauthenticated Limited JavaScript File Upload (BAC) |
| FileOrganizer | Arbitrary File Upload (BAC) |
| Fonto | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Forminator | Missing Authorisation (BAC) to Form Update (BAC) and Creation |
| FREE DOWNLOAD MANAGER | Arbitrary File Deletion (BAC) |
| Free Stock Photos Foter | PHP Object Injection (BAC) |
| GERRYWORKS Post by Mail | Privilege Escalation (BAC) |
| Giveaway Boost | PHP Object Injection (BAC) |
| GiveWP | Unauthenticated PHP Object Injection (BAC) to Remote Code Execution (RCE) |
| Greenshift – animation and page builder blocks | Broken Access Control (BAC) |
| GRÜN spendino Spendenformular | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| GutenKit | Unauthenticated Arbitrary File Upload (BAC) |
| Happy Addons for Elementor | Broken Access Control (BAC) |
| Hash Form | Unauthenticated Limited File Upload (BAC) |
| HD Quiz – Save Results Light | Broken Access Control (BAC) |
| Hello World | Arbitrary File Read (BAC) |
| Htaccess File Editor | Broken Access Control (BAC) |
| Hunk Companion | Missing Authorisation (BAC) to Unauthenticated Arbitrary Plugin Installation and Activation |
| HurryTimer | Missing Authorisation (BAC) to Arbitrary Post Publication |
| iBryl Switch User | Account Takeover (BAC) |
| Image Map Pro | Missing Authorisation (BAC) to Map Project Add and Update and Delete |
| ImagePress | Cross-Site Request Forgery to Plugin Settings Update (BAC) |
| ImagePress | Missing Authorisation (BAC) to Arbitrary Post Deletion (BAC) and Post Title Update (BAC) |
| Infinite-Scroll | Cross-Site Request Forgery to Plugin Settings Update (BAC) |
| INK Official | Arbitrary File Upload (BAC) |
| IP Loc8 | PHP Object Injection (BAC) |
| JiangQie Free Mini Program | Arbitrary File Upload (BAC) |
| Job Board Manager for WordPress | Privilege Escalation (BAC) |
| Kata Plus | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| KB Support | Missing Authorisation (BAC) to Multiple Administrator Actions |
| KB Support | Missing Authorisation (BAC) to Unauthenticated Ticket Reply Exposure |
| Landing Page Cat | Broken Access Control (BAC) |
| LatePoint | Authentication Bypass (BAC) |
| Leyka | Broken Access Control (BAC) |
| Linkz.ai | Missing Authorisation (BAC) to Plugin Settings Update (BAC) |
| Linkz.ai | Missing Authorisation (BAC) to Unauthenticated Plugin Settings Update (BAC) |
| LiteSpeed Cache | Privilege Escalation (BAC) |
| LocateAndFilter | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Login Protection – Limit Failed Login Attempts | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| MaanStore API | Account Takeover (BAC) |
| Mapster WP Maps | Incorrect Authorisation to Arbitrary Options Update (BAC) |
| Marketing Automation by AZEXO | Arbitrary File Upload (BAC) |
| Marketing Automation by AZEXO | Privilege Escalation (BAC) |
| Masteriyo - LMS | Missing Authorisation (BAC) to Privilege Escalation (BAC) |
| Meetup | Broken Authentication (BAC) |
| Miniorange OTP Verification with Firebase | Authentication Bypass (BAC) |
| Miniorange OTP Verification with Firebase | Privilege Escalation (BAC) from Registration due to Administrator Default User Role Value |
| Multiline files upload for contact form 7 | Missing Authorisation (BAC) to Plugin Deactivation |
| Multi Purpose Mail Form | Arbitrary File Upload (BAC) |
| Multi Purpose Mail Form | Arbitrary File Upload (BAC) |
| Multi Step Form | Broken Access Control (BAC) |
| Mynx Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| My Reading Library | PHP Object Injection (BAC) |
| My Wp Brand – Hide menu & Hide Plugin | Broken Access Control (BAC) |
| Namaste! LMS | PHP Object Injection (BAC) |
| Nextend Social Login Pro | Authentication Bypass (BAC) |
| Nice Backgrounds | Arbitrary File Upload (BAC) |
| Notification for Telegram | Missing Authorisation (BAC) |
| Order Attachments for WooCommerce 2.0 | Missing Authorisation (BAC) to Limited Arbitrary File Upload (BAC) |
| Order Notification for Telegram | Missing Authorisation (BAC) to Unauthenticated Send Telegram Test Message |
| Pedalo Connector | Authentication Bypass (BAC) |
| PegaPoll | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| Photo Gallery Builder | Broken Access Control (BAC) to Notice Dismissal |
| photokit | Arbitrary File Upload (BAC) |
| Plugin Propagator | Arbitrary File Upload (BAC) |
| Plug your WooCommerce into the largest catalog of customized print products from Helloprint | Arbitrary File Upload (BAC) |
| Portfolleo | Arbitrary File Upload (BAC) |
| Product Customizer Light | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Product Website Showcase | Arbitrary File Upload (BAC) |
| ProfilePress Pro | Authentication Bypass (BAC) |
| Property Lot Management System | Arbitrary File Upload (BAC) |
| PublishPress Authors | Insecure Direct Object Reference (IDOR) to Arbitrary User Email Update (BAC) and Account Takeover (BAC) |
| PWA | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| QA Analytics | Missing Authorisation (BAC) to Settings Update (BAC) |
| QS Dark Mode | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| R Animated Icon | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Rank Math SEO | PHP Object Injection (BAC) |
| Rank Math SEO | Missing Authorisation (BAC) to Unauthenticated User and Term Metadata Insert, Update (BAC), and Delete |
| Read more By Adam | Missing Authorisation (BAC) to Read More Button Deletion (BAC) |
| Realty Workstation | Account Takeover (BAC) |
| Recently | PHP Object Injection (BAC) |
| Relogo | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Re:WP | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Robo Gallery | Missing Authorisation (BAC) to Private Gallery Title Disclosure |
| Rover IDX | Missing Authorisation (BAC) from Multiple Functions |
| Rover IDX | Authentication Bypass (BAC) to Administrator |
| RS-Members | Privilege Escalation (BAC) |
| RSVPMaker for Toastmasters | Arbitrary File Upload (BAC) |
| SendGrid for WordPress | Missing Authorisation (BAC) to Log Deletion (BAC) |
| SEOPress | Broken Access Control (BAC) |
| SEOPress | Broken Access Control (BAC) |
| SEOPress | Unauthenticated Broken Access Control (BAC) |
| Shipyaari Shipping Management | PHP Object Injection (BAC) |
| Shortcodes AnyWhere | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| ShortPixel Image Optimiser | Broken Access Control (BAC) |
| Signup Page | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| Simple Custom Post Order | Broken Access Control (BAC) |
| Simple Membership | Open Redirection (BAC) |
| Simple User Registration | Account Takeover (BAC) |
| Sirv | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| SiteBuilder Dynamic Components | PHP Object Injection (BAC) |
| Slider Revolution | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Smart Manager | Broken Access Control (BAC) |
| Social Web Suite | Directory Traversal (BAC) to Arbitrary File Download (BAC) |
| Soumettre.fr | Missing Authorisation (BAC) |
| Sovratec Case Management | Arbitrary File Upload (BAC) |
| Spice Starter Sites | Missing Authorisation (BAC) to Unauthenticated Demo Content Import |
| Stackable | Unauthenticated CSS Injection (BAC) |
| Stacks Mobile App Builder | Account Takeover (BAC) |
| Stacks Mobile App Builder | Arbitrary File Upload (BAC) |
| Stars SMTP Mailer | Arbitrary File Upload (BAC) |
| Sudan Payment Gateway for WooCommerce | Arbitrary File Upload (BAC) |
| Suki Sites Import | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Sunshine Photo Cart | Broken Access Control (BAC) |
| Sunshine Photo Cart | Open Redirection (BAC) |
| SurveyJS: Drag & Drop WordPress Form Builder | Arbitrary File Upload (BAC) |
| SVG Complete | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| TAKETIN To WP Membership | PHP Object Injection (BAC) |
| Talkback | PHP Object Injection (BAC) |
| Telecash Ricaricaweb | PHP Object Injection (BAC) |
| Templately | Broken Access Control (BAC) |
| Templately | Broken Access Control (BAC) |
| Timetable and Event Schedule | Missing Authorisation (BAC) |
| Timetics | Insecure Direct Object Reference (IDOR) to Unauthenticated Arbitrary User Password and Email Reset and Account Takeover (BAC) |
| Token Login | Broken Authentication (BAC) |
| Training – Courses | Arbitrary File Upload (BAC) |
| Uix Shortcodes | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| UltimateAI | Authentication Bypass (BAC) |
| UltimateAI | Limited User Password Change (BAC) due to Improper Empty and Missing Default Value Check |
| UltraPress Theme | PHP Object Injection (BAC) |
| Unseen Blog Theme | PHP Object Injection (BAC) |
| UserPlus | Registration Form Update (BAC) to Privilege Escalation (BAC) |
| User Toolkit | Account Takeover (BAC) |
| Verbalize WP | Arbitrary File Upload (BAC) |
| WatchTowerHQ | Authentication Bypass (BAC) |
| WC Marketplace | Cross-Site Request Forgery to Vendor Update (BAC)s |
| WC Marketplace | Missing Authorisation (BAC) to Forged Vendor ProFile Deletion (BAC) Email Sending |
| Wechat Social login | Authentication Bypass (BAC) |
| Wechat Social login | Unauthenticated Arbitrary File Upload (BAC) |
| WooCommerce | Unauthenticated HTML Injection (BAC) |
| Woocommerce Custom Profile Picture | Arbitrary File Upload (BAC) |
| WooCommerce Order Proposal | Privilege Escalation (BAC) from Order Proposal |
| WooCommerce PDF Invoices & Packing Slips | Broken Access Control (BAC) |
| Woocommerce Product Design | Arbitrary File Deletion (BAC) |
| Woocommerce Product Design | Arbitrary File Download (BAC) |
| Woocommerce Product Design | Arbitrary File Upload (BAC) |
| WooCommerce UPS Shipping – Live Rates and Access Points | Missing Authorisation (BAC) to Plugin API key reset |
| Woostagram Connect | Arbitrary File Upload (BAC) |
| WordPress Comments Import & Export | Arbitrary File Read (BAC) from Directory Traversal (BAC) |
| WordPress File Upload (BAC) | Unauthenticated Path Traversal to Arbitrary File Read (BAC) and Deletion (BAC) in wfu_file_downloaderphp |
| WordPress Gallery Plugin – Limb Image Gallery | Arbitrary File Download (BAC) |
| WordPress Gallery Plugin – Limb Image Gallery | Arbitrary File Upload (BAC) |
| WordPress Meta Data and Taxonomies Filter (MDTF) | Bypass (BAC) |
| WordPress Stripe Donation and Payment Plugin | Broken Access Control (BAC) |
| WP 2FA with Telegram | Authentication Bypass (BAC) |
| WP 2FA with Telegram | Two-Factor Authentication Bypass (BAC) |
| WP Adminify | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WP Blocks Hub | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WP Booking System | Broken Access Control (BAC) |
| WP Cleanup and Basic Functions | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WPC Shop as a Customer for WooCommerce | PHP Object Injection (BAC) |
| WPC Smart Messages for WooCommerce | Missing Authorisation (BAC) to Message Activation and Deactivation |
| wpDiscuz | Authentication Bypass (BAC) |
| WP donimedia carousel | Arbitrary File Upload (BAC) |
| WP Dropbox Dropins | Arbitrary File Upload (BAC) |
| WP Hotel Booking | Arbitrary File Upload (BAC) |
| WP Popup Builder | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| WP REST API FNS | Account Takeover (BAC) |
| WP REST API FNS | Arbitrary File Upload (BAC) |
| WP RSS Aggregator | Missing Authorisation (BAC) |
| WPSchoolPress | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| Wp Social | Authentication Bypass (BAC) |
| WPS Telegram Chat | Missing Authorisation (BAC) to Private Information Exposure |
| WP ULike | Cross-Site Request Forgery to Statistic Deletion (BAC) |
| WP Users Masquerade | Authentication Bypass (BAC) |
| WP VR | Broken Access Control (BAC) |
| WP VR | Broken Access Control (BAC) |
| Wux Blog Editor | Authentication Bypass (BAC) to Administrator |
| Wux Blog Editor | Unauthenticated Arbitrary File Upload (BAC) |
| Youzify | Missing Authorisation (BAC) to Arbitrary Attachment Deletion (BAC) |
| Zita Elementor Site Library | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 1600 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC NOV 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) monthly: technical monthly: owlpower services weekly: inspiration weekly: featured request managed help (tailored newsletter only for you) weekly: news Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and occasional with…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) monthly: technical monthly: owlpower services weekly: inspiration weekly: featured request managed help (tailored newsletter only for you) weekly: news Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and occasional with…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) monthly: technical monthly: owlpower services weekly: inspiration weekly: featured request managed help (tailored newsletter only for you) weekly: news Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and occasional with…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) monthly: technical monthly: owlpower services weekly: inspiration weekly: featured request managed help (tailored newsletter only for you) weekly: news Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and occasional with…
We’re passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.
