WP BAC JUN 2025: WP Broken Access Control
Managed WP/Woo Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUN 2025 is a -53% DECREASE, compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed WP Security.
Wp Bac Jun 2025: Brutal 174 Wp Broken Access Control (Infographic)
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| 1 Click WordPress Migration | Missing Authorization (BAC) and Arbitrary File Upload (BAC) |
| 6Storage Rentals | Broken Access Control (BAC) |
| Acerola Theme | Broken Access Control (BAC) |
| Advanced File Manager | Broken Access Control (BAC) and Notice Dismissal |
| AHAthat | Cross-Site Request Forgery (CSRF) and AHA Page Deletion (BAC) |
| Ajar in5 Embed | Arbitrary File Upload (BAC) |
| AnyWhere Elementor Pro Theme | Broken Access Control (BAC) |
| BEAF | Arbitrary File Upload (BAC) |
| belingoGeo | Arbitrary File Download (BAC) |
| BERTHA AI | Broken Access Control (BAC) |
| Blocksy Theme | Broken Access Control (BAC) |
| Booking and Rental Manager | Broken Access Control (BAC) |
| Bot for Telegram on WooCommerce | Broken Access Control (BAC) |
| Browse As | Authentication Bypass (BAC) from Cookie |
| BTEV | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| BuddyPress Platform Pro | Authentication Bypass (BAC) from Apple OAuth provider |
| Bulk Featured Image | Broken Access Control (BAC) |
| Calculate Prices based on Distance For WooCommerce | Broken Access Control (BAC) |
| Challan | Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC) |
| ClickWhale | Broken Access Control (BAC) |
| Coming Soon Page, Under Construction & Maintenance Mode by SeedProd | Missing Authorization (BAC) and Private Information Exposure |
| ContentStudio | Broken Access Control (BAC) |
| CouponXL Theme | Privilege Escalation (BAC) |
| Cozy Blocks | Broken Access Control (BAC) |
| Crawlomatic Multisite Scraper Post Generator | Unauthenticated Arbitrary File Upload (BAC) |
| CryptoCloud Crypto Payment Gateway | Broken Access Control (BAC) |
| CSS3 Accordions for WordPress | Broken Access Control (BAC) |
| CSS3 Compare Pricing Tables for WordPress | Broken Access Control (BAC) |
| CSS3 Tooltips for WordPress | Broken Access Control (BAC) |
| CURCY | Arbitrary Shortcode Execution (BAC) |
| Custom Author Base | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Digits | Auth Bypass (BAC) from OTP Bruteforcing |
| Drag and Drop File Upload (BAC) for Elementor Forms | Arbitrary File Deletion (BAC) |
| Drag and Drop Multiple File Upload (BAC) for WooCommerce | Unauthenticated Arbitrary File Upload (BAC) from upload Function |
| eaSYNC | PayPal Settings Update (BAC) |
| Echo RSS Feed Post Generator Plugin for WordPress | Unauthenticated Arbitrary File Upload (BAC) |
| EKC Tournament Manager | Arbitrary File Download (BAC) |
| Element Pack Pro | Broken Access Control (BAC) |
| ELEX WordPress HelpDesk & Customer Ticketing System | Arbitrary File Upload (BAC) |
| eMagicOne Store Manager | Unauthenticated Arbitrary File Deletion (BAC) |
| eMagicOne Store Manager | Unauthenticated Arbitrary File Read (BAC) |
| eMagicOne Store Manager | Unauthenticated Arbitrary File Upload (BAC) from set_file() |
| Embed and Integrate Etsy Shop | Broken Access Control (BAC) |
| Envo Extra | Broken Access Control (BAC) |
| Envolve Plugin | Unauthenticated Arbitrary File Upload (BAC) from language_file and fonts_file |
| Envolve Plugin | Unauthenticated Language File Deletion (BAC) |
| EUCookieLaw | Unauthenticated Arbitrary File Read (BAC) |
| Event Calendar | Unauthenticated Arbitrary Calendar Deletion (BAC) |
| Eventer | Broken Access Control (BAC) |
| Eventin | Arbitrary File Download (BAC) |
| Eventin | Privilege Escalation (BAC) |
| EventON | Broken Access Control (BAC) |
| EventON | Missing Authorization (BAC) and Cross-Site Scripting (XSS) |
| EventON | Broken Access Control (BAC) |
| EventPrime | Arbitrary booking Settings Update (BAC) |
| Experto CTA Widget – Call and Action, Sticky CTA, Floating Button Plugin | Settings Change (BAC) |
| External image replace | Arbitrary File Upload (BAC) |
| Featured Image Plus | Missing Authorization (BAC) and Featured Image Update |
| Flynax Bridge | Unauthenticated Privilege Escalation (BAC) |
| Frontend Dashboard | Missing Authorization (BAC) and Unauthenticated Privilege Escalation (BAC) |
| Frontend Dashboard | Missing Authorization (BAC) and Privilege Escalation (BAC) |
| Frontend Login and Registration Blocks | Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC) |
| GDPR CCPA Compliance Support | Broken Access Control (BAC) |
| Graphina | Broken Access Control (BAC) |
| Groundhogg | Arbitrary File Deletion (BAC) |
| GS Logo Slider | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| GS Testimonial Slider | Broken Access Control (BAC) |
| GS Variation Swatches for WooCommerce | Broken Access Control (BAC) |
| Homey Theme | Missing Authorization (BAC) and Arbitrary Reservation & Post Deletion |
| Hospital Management System | Arbitrary File Upload (BAC) |
| Hospital Management System | Privilege Escalation (BAC) |
| HotStar – Multi-Purpose Business Theme | Broken Access Control (BAC) |
| IMITHEMES Listing | Unauthenticated Privilege Escalation (BAC) from Unverified Password Reset (BAC) |
| Infocob CRM Forms | Arbitrary File Download (BAC) |
| Instantio | Arbitrary File Upload (BAC) |
| Jetpack | Unauthenticated Arbitrary Block & Shortcode Execution (BAC) |
| Jetpack Debug Tools | Broken Access Control (BAC) |
| JP Students Result Management System Premium | Arbitrary File Upload (BAC) |
| KBx Pro Ultimate | Arbitrary File Deletion (BAC) |
| LayoutBoxx | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Lead Form Data Collection and CRM | Arbitrary Option Update and Privilege Escalation (BAC) |
| Leadinfo | Settings Change (BAC) |
| Legal Pages | Broken Access Control (BAC) |
| LessButtons Social Sharing and Statistics | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| LocateAndFilter | Broken Access Control (BAC) |
| Login Lockdown | Missing Authorization (BAC) and Arbitrary IP Whitelisting |
| Majestic Support | Broken Access Control (BAC) |
| MapSVG | Broken Access Control (BAC) |
| MapSVG | Broken Access Control (BAC) |
| MapSVG | Arbitrary Shortcode Execution (BAC) |
| MasterStudy LMS Pro | Arbitrary File Upload (BAC) |
| Media Hygiene | Broken Access Control (BAC) |
| Motors Theme | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Motors Theme | Unauthenticated Privilege Escalation (BAC) from Password Update (BAC)/Account Takeover (BAC) |
| MStore API | Unauthenticated Privilege Escalation (BAC) |
| MStore API | Missing Authorization (BAC) and Posts Creation |
| Music Player for WooCommerce | Broken Access Control (BAC) |
| Nomupay Payment Processing Gateway | Arbitrary File Download (BAC) |
| Ntz Antispam | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Opal Woo Custom Product Variation | Arbitrary File Deletion (BAC) |
| OTP-less one tap Sign in | Unauthenticated Arbitrary Email Update and Account Takeover (BAC)/Privilege Escalation (BAC) |
| Ovation Elements | Broken Access Control (BAC) |
| PeproDev Ultimate Profile Solutions | Authentication Bypass (BAC) and Account Takeover (BAC) |
| PeproDev Ultimate Profile Solutions | Missing Authorization (BAC) and Unauthenticated Arbitrary User Meta Update |
| PeproDev Ultimate Profile Solutions | Missing Authorization (BAC) and Unauthenticated Email Enumeration |
| PGS Core | Missing Authorization (BAC) from Multiple Functions |
| Pinterest Automatic Pin | Broken Access Control (BAC) |
| Printcart Web and Print Product Designer for WooCommerce | Arbitrary File Upload (BAC) |
| Product Quantity Dropdown For Woocommerce | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| ProfileGrid | Broken Access Control (BAC) |
| Projectopia | Broken Access Control (BAC) |
| Property | Missing Authorization (BAC) and Privilege Escalation (BAC) from property_package_user_role Metadata in PayPal Registration |
| Push notification for Mobile and Web app | Broken Access Control (BAC) |
| QS Dark Mode | Broken Access Control (BAC) |
| QuickCal | Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC) |
| QuickCal | Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC) |
| Rankie | Broken Access Control (BAC) |
| Reales WP STPT | Privilege Escalation (BAC) from Password Update (BAC) |
| Reales WP STPT | Unauthorized User Registration (BAC) |
| Responsive Plus | Broken Access Control (BAC) |
| Rootspersona | Broken Access Control (BAC) |
| Rozario Theme | Broken Access Control (BAC) |
| RS WP Book Showcase | Arbitrary Shortcode Execution (BAC) |
| Salon Booking Pro | Broken Access Control (BAC) |
| Secure Downloads | Arbitrary File Download (BAC) |
| Sharespine Woocommerce Connector | Broken Access Control (BAC) |
| Shortlinks by Pretty Links | Broken Access Control (BAC) |
| Simple Business Directory Pro | Privilege Escalation (BAC) |
| Simple File List | Settings Change (BAC) |
| Simple Link Directory Pro | Broken Access Control (BAC) |
| Simple Nav Archives | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| SMS Alert Order Notifications – WooCommerce | Privilege Escalation (BAC) from handleWpLoginCreateUserAction Function |
| Splitit | Missing Authorization (BAC) and Multiple Administrative Actions |
| Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light | Privilege Escalation (BAC) |
| STAGGS | Arbitrary File Upload (BAC) |
| StoreKeeper for WooCommerce | Arbitrary File Upload (BAC) |
| StyleAI | Broken Access Control (BAC) |
| Subaccounts for WooCommerce | Account Takeover (BAC) |
| Tainacan | Arbitrary File Deletion (BAC) |
| The Business Theme | Broken Access Control (BAC) |
| The Events Calendar | Broken Access Control (BAC) |
| TheGem Theme | Arbitrary File Upload (BAC) |
| TheGem Theme | Missing Authorization (BAC) and Arbitrary Theme Options Update |
| The Plus Addons for Elementor Pro | Broken Access Control (BAC) |
| The Ultimate WordPress Toolkit – WP Extended | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| TicketBAI Facturas para WooCommerce | Unauthenticated Arbitrary File Deletion (BAC) |
| TI WooCommerce Wishlist | Arbitrary File Upload (BAC) |
| Tours | Broken Access Control (BAC) |
| Travelpayouts | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| TwitterPosts | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Uncanny Automator | Missing Authorization (BAC) and Plugin Settings Update (BAC) |
| Url Rewrite Analyzer | Broken Access Control (BAC) |
| User Profile Meta Manager | Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC) |
| Visual Builder | Broken Access Control (BAC) |
| Visual Header | Broken Access Control (BAC) |
| Web3Press | Arbitrary File Read (BAC) |
| Wholesale Market | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Widgets Reset | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Wiki Embed | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| Wishlist | Broken Access Control (BAC) |
| Wolmart Theme | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Woocommerce Multiple Addresses | Privilege Escalation (BAC) |
| WooCommerce POS | Broken Access Control (BAC) |
| Woo Slider Pro | Arbitrary Content Deletion (BAC) |
| Woo Slider Pro | Missing Authorization (BAC) and Arbitrary Post Deletion from woo_slide_pro_delete_draft_preview |
| WordPress Auto Spinner | Broken Access Control (BAC) |
| WPBookit | Insecure Direct Object Reference and Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC) |
| WPBot Pro WordPress Chatbot | Arbitrary File Deletion (BAC) |
| WP Job Portal | Arbitrary File Download (BAC) |
| WP Mapa Politico España | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| WP shop | Privilege Escalation (BAC) from Account Takeover (BAC) |
| Year Make Model Search for WooCommerce | Cross-Site Request Forgery (CSRF) and Settings Change (BAC) |
| Z-Downloads | Arbitrary File Upload (BAC) |
| 百度站长SEO合集(支持百度/神马/Bing/头条推送) | Unauthenticated Arbitrary File Upload (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 2024 |
| WP BAC & WordPress Broken Access Control reported in 2025: | 1377 |
MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
WP BAC MAY 2025: Brutal 369(!) WP Broken Access Control (infographic)
Your Email (double opt-in) Vulnerability reports (monthly) ultrawp services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Agree with the privacy policy
WP BAC APR 2025: Brutal 185(!) WP Broken Access Control
Your Email (double opt-in) Vulnerability reports (monthly) ultrawp services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Agree with the privacy policy
WP BAC MAR 2025: Brutal 172 WP Broken Access Control
Your Email (double opt-in) Vulnerability reports (monthly) ultrawp services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Agree with the privacy policy
WP BAC FEB 2025: Brutal 258 WP Broken Access Control
Your Email (double opt-in) Vulnerability reports (monthly) ultrawp services (monthly) INSPIRATION (weekly) FEATURED (weekly) managed online business for you (tailored for niche needs) NEWS (weekly) Agree with the privacy policy
Table of Contents
- WP BAC JUN 2025: WP Broken Access Control
- Managed WP/Woo Security Report
- Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC JUN 2025: WP Broken Access Control Patch Management.
- Today's reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order your WP BAC JUN 2025: WP Broken Access Control Patch Management.
- Get security LIVEPATCH
- Stay informed
- Need managed WP security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.
- MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
- WP BAC MAY 2025: Brutal 369(!) WP Broken Access Control (infographic)
- WP BAC APR 2025: Brutal 185(!) WP Broken Access Control
- WP BAC MAR 2025: Brutal 172 WP Broken Access Control
- WP BAC FEB 2025: Brutal 258 WP Broken Access Control
