WP BAC OCT 2024
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC OCT 2024 is a -45% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC OCT 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
ForumWP | Account Takeover (BAC) |
Easy Property Listings | Arbitrary Contact Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
Contact Form 7 Campaign Monitor Extension | Arbitrary File Deletion (BAC) |
Advanced File Manager | Arbitrary File Upload (BAC) |
Bit File Manager | Arbitrary File Upload (BAC) |
Bit Form – Contact Form Plugin | Arbitrary File Upload (BAC) |
MStore API | Arbitrary File Upload (BAC) |
Customizer Export/Import | Arbitrary File Upload (BAC) from Customization Settings Import |
The Ultimate WordPress Toolkit – WP Extended | Arbitrary Options Update (BAC) |
WooCommerce Photo Reviews - Review Reminders - Review for Discounts | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
Login with phone number | Authorisation Bypass (BAC) to Privilege Escalation (BAC) |
Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads | Broken Access Control (BAC) |
Depicter Slider | Broken Access Control (BAC) |
Elementor Addon Elements | Broken Access Control (BAC) |
JoomSport | Broken Access Control (BAC) |
Joy Of Text Lite | Broken Access Control (BAC) |
Popup Maker | Broken Access Control (BAC) |
PWA for WP & AMP | Broken Access Control (BAC) |
Sunshine Photo Cart | Broken Access Control (BAC) |
Templately | Broken Access Control (BAC) |
Truepush | Broken Access Control (BAC) |
Wheel of Life | Broken Access Control (BAC) |
WooCommerce Multilingual & Multicurrency | Broken Access Control (BAC) |
WP Datepicker | Broken Access Control (BAC) |
WP Free SSL – Free SSL Certificate for WordPress and force HTTPS | Broken Access Control (BAC) |
Fluent Support | Broken Access Control (BAC) on Email Verification |
Stream | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
Easy PayPal Events | Cross-Site Request Forgery (CSRF) to Arbitrary Post Deletion (BAC) |
BA Book Everything | Cross-Site Request Forgery (CSRF) to Email Address Update (BAC) /Account Takeover (BAC) |
AnWP Football Leagues | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Common Tools for Site | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
GF Custom Style | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Graphicsly | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
GutenGeek Free Gutenberg Blocks for WordPress | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
king_IE | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Mapplic Lite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
OneElements – Best Elementor Addons | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Preloader Plus - WordPress Loading Screen Plugin | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Advanced File Manager | File Upload (BAC) |
AZIndex | Index Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
WCFM – Frontend Manager for WooCommerce | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) /Privilege Escalation (BAC) |
Charitable | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) and Privilege Escalation (BAC) |
WP-Recall | Insecure Direct Object Reference (IDOR) to Unauthenticated Arbitrary Password Update (BAC) |
IP Vault – WP Firewall | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
Limit Login Attempts Plus | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
SAF | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
Web Application Firewall – website security | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
Maintenance Redirect | IP Bypass (BAC) |
WP Cerber Security | IP Protection Bypass (BAC) |
Classified Listing | Missing Authorisation (BAC) |
EU/UK VAT Manager for WooCommerce | Missing Authorisation (BAC) |
EU/UK VAT Manager for WooCommerce | Missing Authorisation (BAC) |
Form Vibes – Database Manager for Forms | Missing Authorisation (BAC) in Multiple Functions |
Flash & HTML5 Video | Missing Authorisation (BAC) in multiple functions from hvp_ajax_handler |
The Ultimate WordPress Toolkit – WP Extended | Missing Authorisation (BAC) to Admin Username Change |
Revision Manager TMC | Missing Authorisation (BAC) to Arbitrary Email Sending |
Webba Booking | Missing Authorisation (BAC) to CSS Settings Update (BAC) |
WP Easy Gallery | Missing Authorisation (BAC) to Gallery Manipulation |
FluentForm | Missing Authorisation (BAC) to Mailchimp Integration Modification |
Flash & HTML5 Video | Missing Authorisation (BAC) to Options Update (BAC) |
Amelia | Missing Authorisation (BAC) to Private Information Exposure |
Email Subscribers & Newsletters | Missing Authorisation (BAC) to Private Information Exposure |
Sight | Missing Authorisation (BAC) to Private Information Exposure in handler_post_title |
Frontend Post Submission Manager Lite | Missing Authorisation (BAC) to Settings Update (BAC) |
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins | Missing Authorisation (BAC) to Settings Update (BAC) |
ThemeHunk | Missing Authorisation (BAC) to Settings Update (BAC) s |
Download Monitor | Missing Authorisation (BAC) to Shop Enable |
myCred | Missing Authorisation (BAC) to Unauthenticated Database Upgrade |
Revolut Gateway for WooCommerce | Missing Authorisation (BAC) to Unauthenticated Order Status Update (BAC) |
EventPrime | Missing Authorisation (BAC) to Unauthenticated Password-Protected-Events Private Disclosure |
EventPrime | Missing Authorisation (BAC) to Unauthenticated Private-Events Private Disclosure |
Uncanny Groups for LearnDash | Missing Authorisation (BAC) to User Group Add |
WC Marketplace | Missing Authorisation (BAC) to Vendor Privilege Escalation (BAC) /Account Takeover (BAC) |
Geo Controller | Multiple Missing Authorisation (BAC) |
BuddyForms | Privilege Escalation (BAC) |
ForumWP | Privilege Escalation (BAC) |
Houzez Login Register | Privilege Escalation (BAC) |
Houzez Theme | Privilege Escalation (BAC) |
Newsletters | Privilege Escalation (BAC) |
Post Grid and Gutenberg Blocks | Privilege Escalation (BAC) |
Uncanny Groups for LearnDash | Privilege Escalation (BAC) |
adstxt | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
DN Popup | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
Posts reminder | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
Visual Sound | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
LiteSpeed Cache | Unauthenticated Account Takeover (BAC) from Cookie Leak |
WooEvents | Unauthenticated Arbitrary File Overwrite (BAC) |
JupiterX Core | Unauthenticated Arbitrary File Upload (BAC) |
REST API TO MiniProgram | Unauthenticated Arbitrary User Email Update (BAC) and Privilege Escalation (BAC) from Account Takeover (BAC) |
JupiterX Core | Unauthenticated Authentication Bypass (BAC) to Account Takeover (BAC) |
Ninja Forms File Upload Extension | Unauthenticated Cross-Site Scripting (XSS) from File Upload (BAC) |
WP Job Portal | Unauthenticated Local File Inclusion (LFi) , Arbitrary Settings Update (BAC) , and User Creation (BAC) |
PixelYourSite PRO | Unauthenticated Private Information Exposure and Log Deletion (BAC) |
PixelYourSite – Your smart PIXEL (TAG) Manager | Unauthenticated Private Information Exposure and Log Deletion (BAC) |
Webo-facto | Unauthenticated Privilege Escalation (BAC) |
WPCOM Member | Unauthenticated Privilege Escalation (BAC) from User Meta |
WP Hardening | Unauthenticated Security Feature Bypass (BAC) to Username Enumeration |
WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
WP BAC & WordPress Broken Access Control reported in 2024: | 1336 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC OCT 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.
We’re passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.