WP BAC SEP 2024
WP Broken Access Control
Managed WordPress Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC SEP 2024 is a +2% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC SEP 2024: WP Broken Access Control Patch Management.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| AcyMailing SMTP Newsletter | File Upload (BAC) via acym_extractArchive Function |
| AdRotate | Double Extension File Upload (BAC) |
| Advanced Cron Manager – debug & control | Broken Access Control (BAC) |
| affiliate-toolkit | Unauthenticated Full Path Dislcosure (BAC) |
| Amelia | Unauthenticated Full Path Disclosure (BAC) |
| AMP for WP | Broken Access Control (BAC) |
| ARMember | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| Aruba HiSpeed Cache | Broken Access Control (BAC) |
| Asset CleanUp: Page Speed Booster | Broken Access Control (BAC) |
| Atarim | Broken Access Control (BAC) |
| Atarim | Missing Authorisation (BAC) to Settings Update (BAC) |
| Backup and Restore WordPress | Broken Access Control (BAC) |
| Backup and Restore WordPress | Unauthenticated Broken Access Control (BAC) |
| BerqWP | Unauthenticated File Upload (BAC) |
| Bit Form – Contact Form Plugin 2.0 | File Deletion (BAC) |
| Bit Form – Contact Form Plugin 2.0 | File Read (BAC) And Deletion (BAC) |
| Bit Form – Contact Form Plugin 2.0 | JavaScript File Upload (BAC)s |
| Bit Form Pro | File Upload (BAC) |
| Bit Form Pro | Plugin Settings Change (BAC) |
| Bit Form Pro | Unauthenticated File Deletion (BAC) |
| Bitly | Broken Access Control (BAC) |
| Blockbooster Theme | Broken Access Control (BAC) |
| Blog2Social | Cross-Site Scripting (XSS) via File Upload (BAC) |
| Blog Introduction | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| Blogpoet Theme | Broken Access Control (BAC) |
| Blox Page Builder | File Upload (BAC) |
| BookingPress | Authentication Bypass to Account Takeover (BAC) |
| Breakdance | Missing Authorisation (BAC) |
| Clearfy Cache | Broken Access Control (BAC) |
| Clone | Broken Access Control (BAC) |
| Contest Gallery | Unauthenticated Comment UserID And IP address Disclosure (BAC) |
| CRM Perks Forms | File Upload (BAC) |
| Depicter Slider | File Upload (BAC) |
| Docket (WooCommerce Collections / Wishlist / Watchlist) | Unauthenticated Post/Page Deletion (BAC) |
| Droip | Settings Change (BAC)/Private Data Exposure |
| Droip | Unauthenticated File Download/Deletion (BAC) |
| Easy Digital Downloads | Broken Access Control (BAC) |
| Ebook Store | Unauthenticated Full Path Disclosure (BAC) |
| Element Pack Elementor Addons | File Read (BAC) |
| Enhanced Search Box | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| Envira Photo Gallery | Broken Access Control (BAC) |
| Event Espresso 4 Decaf | Missing Authorisation (BAC) to Plugin Settings Modification (BAC) |
| EventPrime | Broken Access Control (BAC) |
| Falang multilanguage | Missing Authorisation (BAC) to Translation Update (BAC) and Private Information Exposure |
| Favicon Generator | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
| Favicon Generator | File Upload (BAC) via Cross-Site Request Forgery (CSRF) |
| File Manager Pro | Plugin Settings Update (BAC) |
| File Manager Pro | File Upload (BAC) |
| Filter & Grids | Broken Authentication (BAC) |
| Flash & HTML5 Video | Broken Access Control (BAC) |
| Folders | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| Fonts | Broken Access Control (BAC) |
| FormCraft | Broken Access Control (BAC) |
| Fota WP Theme | Broken Access Control (BAC) |
| Funnelforms Free | File Deletion (BAC) |
| Funnelforms Free | File Upload (BAC) |
| Funnelforms Free | Missing Authorisation (BAC) to Unauthenticated Media Upload (BAC) and Deletion (BAC) |
| Fuse Social Floating Sidebar | Cross-Site Scripting (XSS) via File Upload (BAC) |
| GeoDirectory | Broken Access Control (BAC) |
| GetPaid | Broken Access Control (BAC) |
| GiveWP | Missing Authorisation (BAC) to Private Information Exposure |
| GiveWP | Missing Authorisation (BAC) to Unauthenticated Event Settings Update (BAC) |
| GiveWP | Missing Authorisation (BAC) to File Deletion (BAC) |
| GiveWP | Unauthenticated Full Path Disclosure (BAC) |
| Hello Agency Theme | Broken Access Control (BAC) |
| HelloAsso | Broken Access Control (BAC) |
| Hummingbird | Broken Access Control (BAC) |
| HUSKY | Privilege Escalation (BAC) |
| Icegram Collect – Easy Form, Lead Collection and Subscription plugin | Broken Access Control (BAC) |
| ILC Thickbox | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| ImageRecycle pdf & image compression | Missing Authorisation (BAC) in Several AJAX Actions |
| infolinks Ad Wrap | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
| InPost for WooCommerce | Unauthenticated File Read (BAC)/Delete (BAC) |
| InPost PL | Unauthenticated File Read (BAC)/Delete (BAC) |
| JetFormBuilder | Privilege Escalation (BAC) |
| JobSearch | Unauthenticated Account Takeover (BAC) |
| JobSearch | Broken Access Control (BAC) |
| JobSearch | Broken Access Control (BAC) |
| JoomSport | Broken Access Control (BAC) |
| JS Help Desk – Best Help Desk & Support Plugin | Broken Access Control (BAC) |
| Leopard - WordPress offload media | Plugin Settings Change (BAC) |
| Linkify Text | Unauthenticated Full Path Disclosure (BAC) |
| LiteSpeed Cache | Unauthenticated Privilege Escalation (BAC) |
| Login As Users | Broken Authentication (BAC) |
| Login As Users | Broken Access Control (BAC) to Account Takeover (BAC) |
| Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| LWS Affiliation | Broken Access Control (BAC) |
| MainWP Child Reports | Cross-Site Request Forgery (CSRF) to Options Update (BAC) |
| Masteriyo - LMS | Broken Access Control (BAC) |
| Masteriyo - LMS | Broken Access Control (BAC) |
| MaxButtons | Full Path Disclosure (BAC) |
| Media Library Assistant | File Upload (BAC) via mla-inline-edit-Upload (BAC)-scripts AJAX Action |
| Media Library Folders | Missing Authorisation (BAC) on Various Functions |
| Memberpress | Broken Access Control (BAC) |
| Meta Box – WordPress Custom Fields Framework | Broken Access Control (BAC) |
| Metform Elementor Contact Form Builder | Unauthenticated Double-Extension File Upload (BAC) |
| Misiek Photo Album | Album Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
| Mollie Payments for WooCommerce | Unauthenticated Full Path Disclosure (BAC) |
| MP3 Audio Player for Music, Radio & Podcast by Sonaar | Missing Authorisation (BAC) to File Deletion (BAC) |
| MStore API | Authentication Bypass to Account Takeover (BAC) |
| My Custom CSS PHP & ADS | Unauthenticated Full Path Disclosure (BAC) |
| Newsletters | Unauthenticated Full Path Disclosure (BAC) |
| Newspack | Broken Access Control (BAC) |
| Ninja Tables | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| No Update Nag | Unauthenticated Full Path Disclosure (BAC) |
| Obfuscate Email | Unauthenticated Full Path Disclosure (BAC) |
| oik | File Deletion (BAC) |
| Opal Membership | Information Disclosure (BAC) |
| Orbit Fox by ThemeIsle | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| Orchid Store Theme | Missing Authorisation (BAC) to Plugin Activation (BAC) |
| Order Tracking | Broken Access Control (BAC) |
| Oxygen Builder | Missing Authorisation (BAC) to Stylesheet Update (BAC) |
| PDF Builder for WPForms | Unauthenticated Full Path Disclosure (BAC) |
| Permalink Manager Lite | Missing Authorisation (BAC) to Unauthenticated Private Information Exposure |
| Persian WooCommerce | Broken Access Control (BAC) |
| Photo Engine | Broken Access Control (BAC) |
| Plugin Notes Plus | Content Deletion (BAC) |
| Premium Addons for Elementor | Missing Authorisation (BAC) to Content Deletion (BAC) and Title Update (BAC) |
| Presto Player | Broken Access Control (BAC) |
| Print Barcode Labels for your WooCommerce products/orders | Broken Access Control (BAC) |
| Recipe Card Blocks for Gutenberg & Elementor | Broken Access Control (BAC) |
| Registrations for the Events Calendar | Broken Access Control (BAC) |
| Responsive Lightbox | Cross-Site Scripting (XSS) via File Upload (BAC) |
| Responsive Lightbox | Broken Access Control (BAC) |
| Reveal Template | Unauthenticated Full Path Disclosure (BAC) |
| Reviews Feed | Missing Authorisation (BAC) to Settings Update (BAC) |
| ReviewX | Broken Access Control (BAC) |
| ReviveNews Theme | Broken Access Control (BAC) |
| Robin image optimiser | Broken Access Control (BAC) |
| Send Emails with Mandrill | Broken Access Control (BAC) |
| Sign-up Sheets | Broken Access Control (BAC) |
| Sirv | Missing Authorisation (BAC) to File Upload (BAC) |
| Slider by Soliloquy | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
| Smart Online Order for Clover | Broken Access Control (BAC) |
| Smart Online Order for Clover | Missing Authorisation (BAC) to Plugin Deactivation and Data Deletion (BAC) |
| Social Slider Feed | Broken Access Control (BAC) |
| Sunshine Photo Cart | Broken Access Control (BAC) |
| Superfly Menu | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
| Sync Post With Other Site | Missing Authorisation (BAC) to Post Creation and Update (BAC) |
| TemplateSpare | Missing Authorisation (BAC) to Theme Update (BAC) |
| Theme My Login | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
| Themify Builder | Missing Authorisation (BAC) to Post Duplication |
| The Plus Addons for Elementor Page Builder Lite | Broken Access Control (BAC) |
| The Post Grid | Information Disclosure (BAC) |
| Timetics | Broken Access Control (BAC) |
| TrueBooker | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| Tutor LMS | Broken Access Control (BAC) |
| Tutor LMS Pro | Missing Authorisation (BAC) to Insecure Direct Object Reference |
| TypeSquare Webfonts | Broken Access Control (BAC) |
| Ultimate Membership Pro | Unauthenticated Privilege Escalation (BAC) |
| UsersWP | Users Information Disclosure (BAC) |
| UsersWP | Broken Access Control (BAC) |
| Visual Sound (old) | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| Waitlist Woocommerce ( Back in stock notifier ) | Broken Access Control (BAC) |
| WHMpress | Settings Change (BAC) |
| Woffice Theme | Unauthenticated Privilege Escalation (BAC) |
| WooCommerce Google Feed Manager | Missing Authorisation (BAC) to Feed Actions |
| WooCommerce Google Feed Manager | Missing Authorisation (BAC) to File Deletion (BAC) |
| WooCommerce PDF Vouchers | Unauthenticated File Deletion (BAC) |
| WooCommerce Social Login | Authentication Bypass to Account Takeover (BAC) |
| WOOCS – WooCommerce Currency Switcher | Broken Access Control (BAC) |
| WordPress File Upload | Broken Access Control (BAC) |
| WordPress File Upload | Unauthenticated Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| WP Accessibility Helper (WAH) | Missing Authorisation (BAC) to Settings Update (BAC) |
| WPC Frequently Bought Together for WooCommerce | Broken Access Control (BAC) |
| WP Crowdfunding | Settings Change (BAC) |
| WP Fundraising Donation and Crowdfunding Platform | Privilege Escalation (BAC) |
| WP Search Analytics | Broken Access Control (BAC) |
| WP SMS | Broken Access Control (BAC) |
| WP Social Feed Gallery | Broken Access Control (BAC) |
| WP Testimonial Widget | Missing Authorisation (BAC) |
| WpTravelly | Broken Access Control (BAC) |
| YARPP | Broken Access Control (BAC) |
| YayExtra | Unauthenticated File Upload (BAC) via handle_Upload (BAC)_file Function |
| Z Y N I T H | Unauthenticated Option Deletion (BAC) |
| Z Y N I T H | Unauthenticated Plugin Settings Change (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 1239 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order WP BAC SEP 2024: WP Broken Access Control Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
Not sure that our recurrent security offer is worthy of long-term consideration? Contact us today for a Broken Access Control audit! Decide after you compare RISK + IMPACT versus COST.
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) monthly: technical monthly: owlpower services weekly: inspiration weekly: featured request managed help (tailored newsletter only for you) weekly: news Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and occasional with…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) monthly: technical monthly: owlpower services weekly: inspiration weekly: featured request managed help (tailored newsletter only for you) weekly: news Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and occasional with…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) monthly: technical monthly: owlpower services weekly: inspiration weekly: featured request managed help (tailored newsletter only for you) weekly: news Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and occasional with…
We’re passionate about helping you grow and make your impact Continue being informed Email (*double opt-in) monthly: technical monthly: owlpower services weekly: inspiration weekly: featured request managed help (tailored newsletter only for you) weekly: news Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes. Weekly inspiration, news and occasional with…
We’re passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.
