WP BAC OCT 2024
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC OCT 2024 is a -45% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC OCT 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| ForumWP | Account Takeover (BAC) |
| Easy Property Listings | Arbitrary Contact Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| Contact Form 7 Campaign Monitor Extension | Arbitrary File Deletion (BAC) |
| Advanced File Manager | Arbitrary File Upload (BAC) |
| Bit File Manager | Arbitrary File Upload (BAC) |
| Bit Form – Contact Form Plugin | Arbitrary File Upload (BAC) |
| MStore API | Arbitrary File Upload (BAC) |
| Customizer Export/Import | Arbitrary File Upload (BAC) from Customization Settings Import |
| The Ultimate WordPress Toolkit – WP Extended | Arbitrary Options Update (BAC) |
| WooCommerce Photo Reviews - Review Reminders - Review for Discounts | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| Login with phone number | Authorisation Bypass (BAC) to Privilege Escalation (BAC) |
| Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads | Broken Access Control (BAC) |
| Depicter Slider | Broken Access Control (BAC) |
| Elementor Addon Elements | Broken Access Control (BAC) |
| JoomSport | Broken Access Control (BAC) |
| Joy Of Text Lite | Broken Access Control (BAC) |
| Popup Maker | Broken Access Control (BAC) |
| PWA for WP & AMP | Broken Access Control (BAC) |
| Sunshine Photo Cart | Broken Access Control (BAC) |
| Templately | Broken Access Control (BAC) |
| Truepush | Broken Access Control (BAC) |
| Wheel of Life | Broken Access Control (BAC) |
| WooCommerce Multilingual & Multicurrency | Broken Access Control (BAC) |
| WP Datepicker | Broken Access Control (BAC) |
| WP Free SSL – Free SSL Certificate for WordPress and force HTTPS | Broken Access Control (BAC) |
| Fluent Support | Broken Access Control (BAC) on Email Verification |
| Stream | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| Easy PayPal Events | Cross-Site Request Forgery (CSRF) to Arbitrary Post Deletion (BAC) |
| BA Book Everything | Cross-Site Request Forgery (CSRF) to Email Address Update (BAC) /Account Takeover (BAC) |
| AnWP Football Leagues | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Common Tools for Site | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| GF Custom Style | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Graphicsly | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| GutenGeek Free Gutenberg Blocks for WordPress | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| king_IE | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Mapplic Lite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| OneElements – Best Elementor Addons | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Preloader Plus - WordPress Loading Screen Plugin | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Advanced File Manager | File Upload (BAC) |
| AZIndex | Index Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| WCFM – Frontend Manager for WooCommerce | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) /Privilege Escalation (BAC) |
| Charitable | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| WP-Recall | Insecure Direct Object Reference (IDOR) to Unauthenticated Arbitrary Password Update (BAC) |
| IP Vault – WP Firewall | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| Limit Login Attempts Plus | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| SAF | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| Web Application Firewall – website security | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| Maintenance Redirect | IP Bypass (BAC) |
| WP Cerber Security | IP Protection Bypass (BAC) |
| Classified Listing | Missing Authorisation (BAC) |
| EU/UK VAT Manager for WooCommerce | Missing Authorisation (BAC) |
| EU/UK VAT Manager for WooCommerce | Missing Authorisation (BAC) |
| Form Vibes – Database Manager for Forms | Missing Authorisation (BAC) in Multiple Functions |
| Flash & HTML5 Video | Missing Authorisation (BAC) in multiple functions from hvp_ajax_handler |
| The Ultimate WordPress Toolkit – WP Extended | Missing Authorisation (BAC) to Admin Username Change |
| Revision Manager TMC | Missing Authorisation (BAC) to Arbitrary Email Sending |
| Webba Booking | Missing Authorisation (BAC) to CSS Settings Update (BAC) |
| WP Easy Gallery | Missing Authorisation (BAC) to Gallery Manipulation |
| FluentForm | Missing Authorisation (BAC) to Mailchimp Integration Modification |
| Flash & HTML5 Video | Missing Authorisation (BAC) to Options Update (BAC) |
| Amelia | Missing Authorisation (BAC) to Private Information Exposure |
| Email Subscribers & Newsletters | Missing Authorisation (BAC) to Private Information Exposure |
| Sight | Missing Authorisation (BAC) to Private Information Exposure in handler_post_title |
| Frontend Post Submission Manager Lite | Missing Authorisation (BAC) to Settings Update (BAC) |
| Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins | Missing Authorisation (BAC) to Settings Update (BAC) |
| ThemeHunk | Missing Authorisation (BAC) to Settings Update (BAC) s |
| Download Monitor | Missing Authorisation (BAC) to Shop Enable |
| myCred | Missing Authorisation (BAC) to Unauthenticated Database Upgrade |
| Revolut Gateway for WooCommerce | Missing Authorisation (BAC) to Unauthenticated Order Status Update (BAC) |
| EventPrime | Missing Authorisation (BAC) to Unauthenticated Password-Protected-Events Private Disclosure |
| EventPrime | Missing Authorisation (BAC) to Unauthenticated Private-Events Private Disclosure |
| Uncanny Groups for LearnDash | Missing Authorisation (BAC) to User Group Add |
| WC Marketplace | Missing Authorisation (BAC) to Vendor Privilege Escalation (BAC) /Account Takeover (BAC) |
| Geo Controller | Multiple Missing Authorisation (BAC) |
| BuddyForms | Privilege Escalation (BAC) |
| ForumWP | Privilege Escalation (BAC) |
| Houzez Login Register | Privilege Escalation (BAC) |
| Houzez Theme | Privilege Escalation (BAC) |
| Newsletters | Privilege Escalation (BAC) |
| Post Grid and Gutenberg Blocks | Privilege Escalation (BAC) |
| Uncanny Groups for LearnDash | Privilege Escalation (BAC) |
| adstxt | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| DN Popup | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Posts reminder | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Visual Sound | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| LiteSpeed Cache | Unauthenticated Account Takeover (BAC) from Cookie Leak |
| WooEvents | Unauthenticated Arbitrary File Overwrite (BAC) |
| JupiterX Core | Unauthenticated Arbitrary File Upload (BAC) |
| REST API TO MiniProgram | Unauthenticated Arbitrary User Email Update (BAC) and Privilege Escalation (BAC) from Account Takeover (BAC) |
| JupiterX Core | Unauthenticated Authentication Bypass (BAC) to Account Takeover (BAC) |
| Ninja Forms File Upload Extension | Unauthenticated Cross-Site Scripting (XSS) from File Upload (BAC) |
| WP Job Portal | Unauthenticated Local File Inclusion (LFi) , Arbitrary Settings Update (BAC) , and User Creation (BAC) |
| PixelYourSite PRO | Unauthenticated Private Information Exposure and Log Deletion (BAC) |
| PixelYourSite – Your smart PIXEL (TAG) Manager | Unauthenticated Private Information Exposure and Log Deletion (BAC) |
| Webo-facto | Unauthenticated Privilege Escalation (BAC) |
| WPCOM Member | Unauthenticated Privilege Escalation (BAC) from User Meta |
| WP Hardening | Unauthenticated Security Feature Bypass (BAC) to Username Enumeration |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 1336 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC OCT 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
