WP BAC FEB 2025: WP Broken Access Control
Managed WP/Woo Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC FEB 2025 is a +18% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed WP Security.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| 1003 Mortgage Application | Broken Access Control (BAC) |
| 1003 Mortgage Application | Broken Access Control (BAC) |
| 12 Step Meeting List | Content Deletion (BAC) |
| 4ECPS Web Forms | File Upload (BAC) |
| ABC Notation | File Read (BAC) |
| Accessibility by AllAccessible | Privilege Escalation (BAC) |
| AdForest Theme | Privilege Escalation (BAC) from Password Reset (BAC)/Account Takeover (BAC) |
| AdForest Theme | Missing Authorization (BAC) and Post/Attachment Deletion (BAC) |
| AdForest Theme | Authentication Bypass (BAC) |
| Adifier System | Unauthenticated Password Reset (BAC) |
| Admin and Site Enhancements (ASE) | Broken Access Control (BAC) |
| Admin and Site Enhancements (ASE) Pro | Broken Access Control (BAC) |
| Advanced File Manager | File Upload (BAC) |
| Advanced Notifications | Broken Access Control (BAC) |
| AI for SEO | Broken Access Control (BAC) |
| AI Responsive Gallery Album | Broken Access Control (BAC) |
| AI Scribe | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
| AI Scribe | Missing Authorization (BAC) and Settings Update (BAC) |
| Allada T-shirt Designer for Woocommerce | Broken Access Control (BAC) |
| Altra Side Menu | Menu Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| ApplyOnline – Application Form Builder and Manager | Broken Access Control (BAC) |
| Aurum Theme | Missing Authorization (BAC) and Demo Content Import |
| Automate Hub | Cross-Site Request Forgery (CSRF) to Activation Status Update (BAC) |
| Avada Theme | Broken Access Control (BAC) |
| Background Control | Cross-Site Request Forgery (CSRF) and File Deletion (BAC) |
| Barcode Scanner with Inventory & Order Manager | File Upload (BAC) |
| Better Find and Replace | Privilege Escalation (BAC) |
| Bitly | Missing Authorization (BAC) and Settings Update (BAC) |
| Booking and Rental Manager | Broken Access Control (BAC) |
| BookingPress | Unauthenticated Export (BAC) File Download (BAC) |
| Boom Fest | Missing Authorization (BAC) and Plugin Settings Update (BAC) |
| Borderless | Remote Code Execution (BAC) |
| Borderless | Cross-Site Scripting (XSS) from SVG Upload (BAC) |
| Borderless | Missing Authorization (BAC) and Icon Font Deletion (BAC) |
| Bridge Core | Broken Access Control (BAC) |
| Build Private Store For Woocommerce | Broken Access Control (BAC) |
| Bulk Me Now! | Message Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| Button Block | Broken Access Control (BAC) |
| Buzz Club Theme | Missing Authorization (BAC) and Limited Option Update (BAC) |
| Cache Sniper for Nginx | Broken Access Control (BAC) |
| CF7 WOW Styler | Unauthenticated Shortcode Execution (BAC) and Cross-Site Scripting (XSS) |
| Chamber Dashboard Business Directory | Broken Access Control (BAC) |
| ClickDesigns | Missing Authorization (BAC) and API Key Modification (BAC) or Removal (BAC) |
| CoBlocks | Broken Access Control (BAC) |
| Connections | Directory Deletion (BAC) |
| Contact Form 7 Anti Spambot | Broken Access Control (BAC) |
| Contact Form and Calls and Action by vcita | Missing Authorization (BAC) and Contact/Widget Toggle |
| Contact Form & SMTP Plugin | Unauthenticated Shortcode Execution (BAC) |
| Copy Move Posts | Broken Access Control (BAC) |
| Counter Box | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| Coupon X | Missing Authorization (BAC) and PHP Object Injection (PHPi) |
| Coupon X | Missing Authorization (BAC) |
| Croma Music | Options Update (BAC) in ironMusic_ajax |
| CubeWP Forms – All-in-One Form Builder | Broken Access Control (BAC) |
| Custom Post Type Lockdown | Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC) |
| DD Roles | Privilege Escalation (BAC) |
| Debug Tool | Broken Access Control (BAC) |
| Download Personalized WooCommerce Cart Page | Missing Authorization (BAC) and Unauthenticated Settings Update (BAC) |
| Drag and Drop Multiple File Upload (BAC) – Contact Form 7 | Limited File Deletion (BAC) |
| Dynamics 365 Integration | Remote Code Execution (BAC) and File Read (BAC) from Twig Server-Side Template Injection |
| Easy Form Builder | Missing Authorization (BAC) and Cross-Site Scripting (XSS) |
| Easy Real Estate | Privilege Escalation (BAC) |
| ECPay Ecommerce for WooCommerce | Missing Authorization (BAC) and Log Deletion (BAC) |
| ElementInvader Addons for Elementor | Broken Access Control (BAC) |
| Email Capture & Lead Generation | Broken Access Control (BAC) |
| EMI Calculator | Settings Change (BAC) |
| Envo Multipurpose Theme | Broken Access Control (BAC) |
| Error Log Viewer | Missing Authorization (BAC) and Unauthenticated File Read (BAC) |
| Essential WP Real Estate | Missing Authorization (BAC) and Post/Page Deletion (BAC) |
| Eventer | File Read (BAC) |
| Evergreen Content Poster | Missing Authorization (BAC) and Unauthenticated Post Deletion (BAC) |
| ExactMetrics | Broken Access Control (BAC) |
| Export Import Menus | Missing Authorization (BAC) and Unauthenticated Menu Export (BAC) |
| FancyPost | Missing Authorization (BAC) and Shortcode Export (BAC) |
| Fancy Product Designer | Unauthenticated File Upload (BAC) |
| Food Menu – Restaurant Menu & Online Ordering for WooCommerce | Missing Authorization (BAC) and Settings Update (BAC) |
| FV Thoughtful Comments | Broken Access Control (BAC) |
| GamiPress | Unauthenticated Shortcode Execution (BAC) from gamipress_ajax_get_logs Function |
| Garden Gnome Package | File Upload (BAC) |
| GDPR CCPA Compliance Support | Broken Access Control (BAC) |
| Gift Cards for WooCommerce Pro | Missing Authorization (BAC) and Infinite Money Glitch |
| Goldstar | Broken Access Control (BAC) |
| Goodlayers Core | Cross-Site Scripting (XSS) from SVG Upload (BAC) |
| GPT3 AI Content Writer | Missing Authorization (BAC) and Shortcode Execution (BAC) |
| Greenshift – animation and page builder blocks | Missing Authorization (BAC) and Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) |
| Groundhogg | File Upload (BAC) from gh_big_file_upload Function |
| GS Insever Portfolio | Missing Authorization (BAC) and CSS Injection |
| Gutenberg Blocks by Kadence Blocks | Broken Access Control (BAC) |
| Help Scout | Broken Access Control (BAC) |
| Herd Effects | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| Hive Support – WordPress Help Desk | Broken Access Control (BAC) |
| Homey Login Register | Privilege Escalation (BAC) |
| Homey Theme | Privilege Escalation (BAC) |
| Host PHP Info | Missing Authorization (BAC) and Unauthenticated Private Information Disclosure |
| Houzez Theme | Broken Access Control (BAC) |
| Houzez Theme | Broken Access Control (BAC) |
| Htaccess File Editor | Broken Authentication (BAC) |
| Image Gallery – Responsive Photo Gallery | Broken Access Control (BAC) |
| Infility Global | Missing Authorization (BAC) and Plugin Options Update (BAC) |
| Infographic Maker – iList | Unauthenticated Shortcode Execution (BAC) |
| Interactive Page Hierarchy | Broken Access Control (BAC) |
| Internal Links Manager | Broken Access Control (BAC) |
| iSpring Embedder | Cross-Site Request Forgery (CSRF) and File Upload (BAC) |
| JSM Show Post Metadata | Broken Access Control (BAC) |
| JupiterX Core | Missing Authorization (BAC) and Library Sync |
| JupiterX Core | Missing Authorization (BAC) and Unauthenticated Popup Template Export (BAC) |
| LazyLoad Background Images | Missing Authorization (BAC) and Plugin Settings Update (BAC) |
| LearnDash LMS | Broken Access Control (BAC) |
| Linear | Cross-Site Request Forgery (CSRF) to Cache Reset (BAC) |
| Linet ERP-Woocommerce Integration | Cross-Site Request Forgery (CSRF) and Broken Access Control (BAC) |
| linkID | Missing Authorization (BAC) and Unauthenticated Private Information Exposure |
| Live2DWebCanvas | File Deletion (BAC) |
| Login Page Styler | Missing Authorization (BAC) and Log Deletion (BAC) and Session Termination |
| Loginplus | Broken Access Control (BAC) |
| Mark Posts | Broken Access Control (BAC) |
| MC Woocommerce Wishlist | Unauthenticated Insecure Direct Object References (IDOR) from Download (BAC)_pdf_file Function |
| Media Manager for UserPro | Missing Authorization (BAC) and Unauthenticated Options Update (BAC) |
| Media Manager for UserPro | Missing Authorization (BAC) and Options Update (BAC) |
| Member Access | Unauthenticated Content Restriction Bypass (BAC) and Private Information Exposure |
| MIMO Woocommerce Order Tracking | Missing Authorization (BAC) and Limited Settings Update (BAC) |
| Minterpress | Content Deletion (BAC) |
| MIPL WC Multisite Sync | Unauthenticated File Download (BAC) |
| Modal Window | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| Modula Image Gallery | File Upload (BAC) |
| Motors – Car Dealer & Classified Ads | Shortcode Execution (BAC) from Custom Title |
| Multi Step Form | Missing Authorization (BAC) and Unauthenticated Limited File Upload (BAC) |
| Multi Upload (BAC)er for Gravity Forms | File Upload (BAC) |
| MWB HubSpot for WooCommerce | Missing Authorization (BAC) and Options Update (BAC) |
| MyAnime Widget | Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC) |
| My Tickets | Broken Access Control (BAC) |
| Newsletter2Go | Missing Authorization (BAC) and Style Reset (BAC) |
| Nexter Blocks | Broken Access Control (BAC) |
| Ni Sales Commission For WooCommerce | Missing Authorization (BAC) and Commission Update (BAC) |
| NitroPack | Missing Authorization (BAC) and Limited Options Update (BAC) |
| OrderConvo | Limited File Upload (BAC) and Cross-Site Scripting (XSS) |
| Paid Member Subscriptions | Authentication Bypass (BAC) from pms_payment_id |
| PAPERCITE | Broken Access Control (BAC) |
| Passster – Password Protection | Unauthenticated Content Restriction Bypass (BAC) and Private Information Exposure |
| Passwords Manager | Missing Authorization (BAC) and Add Password + Update Encryption Key |
| Patreon WordPress | Broken Access Control (BAC) |
| PayPal Marketing Solutions | Broken Access Control (BAC) |
| PayU India | Unauthenticated Privilege Escalation (BAC) |
| People Lists | Broken Access Control (BAC) |
| Poll Maker | Broken Access Control (BAC) |
| Popup – MailChimp, GetResponse and ActiveCampaign Intergrations | Missing Authorization (BAC) and Unauthenticated DB Table Truncation |
| Post Duplicator | Broken Access Control (BAC) |
| Post Grid and Gutenberg Blocks | Unauthenticated Privilege Escalation (BAC) |
| Post Grid Master | Missing Authorization (BAC) and Unauthenticated Local PHP File Inclusion |
| Post SMTP | Broken Access Control (BAC) |
| Post Title (TypeWriter) | Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC) |
| Print Barcode Labels for your WooCommerce products/orders | Broken Access Control (BAC) |
| Product Size Charts Plugin for WooCommerce | Broken Access Control (BAC) |
| radSLIDE | Broken Access Control (BAC) and Cross-Site Scripting (XSS) |
| RealHomes Theme | Privilege Escalation (BAC) |
| Realty Workstation | Broken Access Control (BAC) |
| Restrict Content | Unauthenticated Content Restriction Bypass (BAC) and Private Information Exposure |
| RomethemeKit For Elementor | Broken Access Control (BAC) |
| Royal Core | Options Update (BAC) |
| RSVP and Event Management Plugin | Missing Authorization (BAC) |
| RSVPMarker | Broken Access Control (BAC) |
| Safe Ai Malware Protection for WP | Missing Authorization (BAC) and Unauthenticated Database Export (BAC) |
| Salvador – AI Image Generator | Broken Access Control (BAC) |
| Sandbox Theme | Missing Authorization (BAC) and Sandbox Download (BAC) |
| Saoshyant Page Builder | Broken Access Control (BAC) |
| Sastra Essential Addons for Elementor | Missing Authorization (BAC) and Spexo Theme Install |
| School Management System – SakolaWP | Unauthenticated Privilege Escalation (BAC) |
| Scratch & Win – Giveaways and Contests | Cross-Site Request Forgery (CSRF)via Reset (BAC)_installation Function |
| SendGrid for WordPress | Broken Access Control (BAC) |
| SEO LAT Auto Post | Missing Authorization (BAC) and File Overwrite/Upload (Remote Code Execution (BAC)) |
| Setup Default Featured Image | Broken Access Control (BAC) |
| Shared Files | Limited Unauthenticated Cross-Site Scripting (XSS) from File Upload (BAC) |
| ShipWorks Connector for Woocommerce | Cross-Site Request Forgery (CSRF) to Service Password/Username Update (BAC) |
| Side Menu Lite | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| Single-user-chat | Limited Options Update (BAC) |
| SKT Page Builder | File Upload (BAC) |
| Slides & Presentations | Broken Access Control (BAC) |
| Smallerik File Browser | File Upload (BAC) |
| SMS Alert Order Notifications – WooCommerce | Missing Authorization (BAC) and Options Update (BAC) |
| SMSA Shipping | File Deletion (BAC) |
| Social Media Share Buttons | MashShare | Broken Access Control (BAC) |
| Social Rocket | Missing Authorization (BAC) and Settings Update (BAC) |
| Social Share Buttons for WordPress | Unauthenticated Image Upload (BAC) & Path Traversal |
| Spacer | Missing Authorization (BAC) and Limited Information Disclosure |
| Standard Box Sizes – for WooCommerce | Broken Access Control (BAC) |
| ST Gallery WP | Settings Change (BAC) |
| Sticky Buttons | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| Super Block Slider | Broken Access Control (BAC) |
| SureForms | Missing Authorization (BAC) and Unauthenticated Protected Private Post Disclosure (PD) |
| Sur.ly | Broken Access Control (BAC) |
| Taxonomy/Term and Role based Discounts for WooCommerce | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| Team 118GROUP Agent | Content Deletion (BAC) |
| ThemeREX Addons | Unauthenticated File Upload (BAC) in trx_addons_uploads_save_data |
| Themes Coder | Insecure Direct Object References (IDOR) and Password Change (BAC) /Account Takeover (BAC)/Privilege Escalation (BAC) |
| The Ultimate WordPress Toolkit – WP Extended | Missing Authorization (BAC) and Remote Code Execution (BAC) |
| The Ultimate WordPress Toolkit – WP Extended | Missing Authorization (BAC) and Cross-Site Scripting (XSS) |
| Thim Elementor Kit | Broken Access Control (BAC) |
| TH Variation Swatches | Cross-Site Request Forgery (CSRF) to Plugin Settings Reset (BAC) |
| Title Experiments Free | Broken Access Control (BAC) |
| Tourfic | File Upload (BAC) |
| ts-tree | Content Deletion (BAC) |
| uDesign Theme | Broken Access Control (BAC) |
| Ultimate Gift Cards For WooCommerce | Missing Authorization (BAC) and Infinite Money Glitch |
| user files | File Upload (BAC) |
| User Management | Privilege Escalation (BAC) |
| User Sync ActiveCampaign | Broken Access Control (BAC) |
| VForm | Broken Access Control (BAC) |
| VikBooking Hotel Booking Engine & PMS | Cross-Site Request Forgery (CSRF) to File Upload (BAC) |
| VOD Infomaniak | Broken Access Control (BAC) |
| W2S – Migrate WooCommerce and Shopify | Missing Authorization (BAC) and File Read (BAC) |
| W3 Total Cache | Missing Authorization (BAC) and Server-Side Request Forgery (SSRF) |
| W3 Total Cache | Missing Authorization (BAC) and Unauthenticated Plugin Deactivation and Extensions Activation/Deactivation |
| WC Wallet | Content Deletion (BAC) |
| WebinarPress | Missing Authorization (BAC) and File Creation |
| Widget Options | Broken Access Control (BAC) and Notice Dimissal |
| WooCommerce Product Table Lite | Broken Access Control (BAC) |
| WooCommerce Product Table Lite | Unauthenticated Shortcode Execution (BAC) & Cross-Site Scripting (XSS) |
| Woo Tuner | Broken Access Control (BAC) |
| WordLift | Missing Authorization (BAC) and Settings Update (BAC) |
| WordPress File Upload (BAC) | Unuathenticated Remote Code Execution (BAC) |
| WordPress File Upload (BAC) | Unauthenticated Path Traversal and File Read (BAC) in wfu_file_downloaderphp |
| WordPress File Upload (BAC) | Missing Authorization (BAC) and Limited Path Traversal |
| WordPress File Upload (BAC) | Unauthenticated Remote Code Execution (BAC), File Read (BAC), and File Deletion (BAC) |
| WordPress Graphs & Charts | Broken Access Control (BAC) |
| WordPress Popular Posts | Unauthenticated Shortcode Execution (BAC) |
| WP All Import Pro | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WPBookit | Unauthenticated User Password Change (BAC) |
| WPBookit | Unauthenticated File Upload (BAC) |
| WPBot Pro WordPress Chatbot | Unauthenticated File Upload (BAC) |
| WPBot Pro WordPress Chatbot | Missing Authorization (BAC) and Simple Text Response Creation |
| WP Cloud | File Deletion (BAC) |
| WP Customer Area | Event Log Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| WP Delete Post Copies | Broken Access Control (BAC) |
| WP Duplicate – WordPress Migration Plugin | Broken Access Control (BAC) |
| WP EasyCart | Missing Authorization (BAC) and Order Update (BAC)s |
| WP Fast Total Search | Broken Access Control (BAC) |
| WPGuppy | Broken Authentication (BAC) |
| WPGuppy | Privilege Escalation (BAC) |
| WP Hotel Booking | Missing Authorization (BAC) |
| WP Hotel Booking | Missing Authorization (BAC) and User Email Retrieval |
| WP Image Upload (BAC)er | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
| WP Image Upload (BAC)er | Missing Authorization (BAC) and File Deletion (BAC) |
| WP Journal | Broken Access Control (BAC) |
| WP Load Gallery | File Upload (BAC) |
| WP Meetup | Settings Change (BAC) |
| WP News Sliders | Broken Access Control (BAC) |
| WP Options Editor | Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC) |
| WpTravelly | Broken Access Control (BAC) |
| WP Ultimate Export (BAC)er | File Read (BAC) |
| WP User Profile Avatar | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
| WP Visitor Statistics (Real Time Traffic) | Broken Access Control (BAC) |
| WP Wand | Broken Access Control (BAC) |
| WR Price List Manager For Woocommerce | Remote Code Execution (BAC) (RCE) |
| XLSXviewer | File Deletion (BAC) |
| Xola | Broken Access Control (BAC) |
| Youzify | Missing Authorization (BAC) and Review Deletion (BAC) |
| Youzify | Missing Authorization (BAC) and Limited Options Update (BAC) |
| Zox News Theme | Missing Authorization (BAC) and Options Update (BAC) |
| zStore Manager Basic | Missing Authorization (BAC) and Cache Clearing |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 2024 |
| WP BAC & WordPress Broken Access Control reported in 2025: | 477 |
MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
WP BAC JAN 2025: Brutal 219 WP Broken Access Control
WP BAC JAN 2025: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JAN 2025 is a +7% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
WP BAC DEC 2024: Brutal 205 WP Broken Access Control
WP BAC DEC 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC DEC 2024 is a -22% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
WP BAC NOV 2024: 264 Brutal WP Broken Access Control
WP BAC NOV 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC NOV 2024 is a +172% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
WP BAC OCT 2024: 97 Brutal WP Broken Access Control
WP BAC OCT 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC OCT 2024 is a -45% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
Table of Contents
- WP BAC FEB 2025: WP Broken Access Control
- Managed WP/Woo Security Report
- Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC FEB 2025: WP Broken Access Control Patch Management.
- Today's reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order your WP BAC FEB 2025: WP Broken Access Control Patch Management.
- Get security LIVEPATCH
- Stay informed
- Need managed WP security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.
- MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
- WP BAC JAN 2025: Brutal 219 WP Broken Access Control
- WP BAC DEC 2024: Brutal 205 WP Broken Access Control
- WP BAC NOV 2024: 264 Brutal WP Broken Access Control
- WP BAC OCT 2024: 97 Brutal WP Broken Access Control
