WP BAC NOV 2024: WP Broken Access Control
Managed WP/Woo Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC NOV 2024 is a +172% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed WP Security.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| 1-Click Login: Passwordless Authentication | Broken Authentication (BAC) |
| 3D Work In Progress | Arbitrary File Deletion (BAC) |
| 3D Work In Progress | Arbitrary File Upload (BAC) |
| AADMY | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| ACF Images Search And Insert | Arbitrary File Upload (BAC) |
| Acnoo Flutter API | Account Takeover (BAC) |
| Adding drop down roles in registration | Privilege Escalation (BAC) |
| aDirectory | Arbitrary File Upload (BAC) |
| Advanced Advertising System | PHP Object Injection (BAC) |
| Advanced Custom Fields | Missing Authorization (BAC) on Option Changes (BAC) |
| Advanced Custom Fields | Missing Authorization (BAC) to Private Information Disclosure |
| Advanced Custom Fields | Missing Authorization (BAC) to Private Information Disclosure |
| Advanced Custom Fields PRO | Missing Authorization (BAC) on Option Changes (BAC) |
| Advanced Custom Fields PRO | Missing Authorization (BAC) to Private Information Disclosure |
| Advanced Custom Fields PRO | Missing Authorization (BAC) to Private Information Disclosure |
| Affiliate Pro - Affiliate Program for WooCommerce & WordPress | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| Affiliator | Arbitrary File Upload (BAC) |
| Aggregator Advanced Settings | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Ahime Image Printer | Arbitrary File Download (BAC) |
| AI Image Generator for Your Content & Featured Images – AI Postpix | Arbitrary File Upload (BAC) |
| Ajar in5 Embed | Arbitrary File Upload (BAC) |
| All Post Contact Form | Arbitrary File Upload (BAC) |
| AMP for WP | Cross-Site Request Forgery to Privilege Escalation (BAC) |
| Analyse Uploads | Arbitrary File Deletion (BAC) |
| App Builder | Privilege Escalation (BAC) and Account Takeover (BAC) from Weak OTP |
| AppPresser | Privilege Escalation (BAC) and Account Takeover (BAC) from Weak OTP |
| AR For Woocommerce | Arbitrary File Upload (BAC) |
| AR For WordPress | Arbitrary File Upload (BAC) |
| Automatic Translation | Arbitrary File Upload (BAC) |
| AVIF & SVG Uploader | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Azz Anonim Posting | Arbitrary File Upload (BAC) |
| Backup and Staging by WP Time Capsule | PHP Object Injection (BAC) |
| Best Restaurant Menu by PriceListo | Broken Access Control (BAC) |
| Bit File Manager | Limited JavaScript File Upload (BAC) |
| Bit Form – Contact Form Plugin | Improper Input Validation to Arbitrary File Read (BAC) |
| Black Widgets For Elementor | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Bold Page Builder | Broken Access Control (BAC) |
| Bot for Telegram on WooCommerce | Telegram Bot Token Disclosure to Authentication Bypass (BAC) |
| Branding | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Breeze | Broken Access Control (BAC) |
| Bridge Core | Missing Authorization (BAC) to Demo Import |
| Bstone Demo Importer | Privilege Escalation (BAC) |
| BuddyPress | Directory Traversal (BAC) |
| BuddyPress Better Registration | Broken Authentication (BAC) |
| Bulk Change Role | Privilege Escalation (BAC) |
| Bulk images optimizer | Missing Authorization (BAC) to Plugin Options Update (BAC) |
| Calculated Fields Form | HTML Injection (BAC) |
| Category Icon | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Code Explorer | External File Read (BAC)ing |
| Contact Form 7 Telegram | Missing Authorization (BAC) to Subscription Approve and Pause and Refuse |
| Cooked Pro | Unauthenticated Arbitrary File Upload (BAC) |
| Creates 3D Flipbook, PDF Flipbook | Arbitrary File Upload (BAC) |
| Crypto | Authentication Bypass (BAC) from log_in |
| Crypto | Authentication Bypass (BAC) from register |
| Crypto | Cross-Site Request Forgery to Authentication Bypass (BAC) |
| CubeWP – All-in-One Dynamic Content Framework | Broken Access Control (BAC) |
| Custom Icons for Elementor | Arbitrary File Upload (BAC) |
| Debrandify | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Demo Importer Plus | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Digital Lottery | Arbitrary File Upload (BAC) |
| Disc Golf Manager | PHP Object Injection (BAC) |
| Download Monitor | Missing Authorization (BAC) to API Key Manipulation |
| Download Monitor | Missing Authorization (BAC) to Private Information Exposure |
| Download Plugin | Missing Authorization (BAC) to User Metadata and Comment Download |
| DS.DownloadList | PHP Object Injection (BAC) |
| Easy Demo Importer | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Easy Menu Manager | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Easy Post Types | Missing Authorization (BAC) from Multiple Functions |
| Easy Post Types | PHP Object Injection (BAC) |
| Echo RSS Feed Post Generator Plugin for WordPress | Unauthenticated Privilege Escalation (BAC) |
| Editorial Assistant by Sovrn | Missing Authorization (BAC) to Attachment Upload and Set Post Featured Image |
| EKC Tournament Manager | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
| Elastik Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Elemenda | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| ElementsReady Addons for Elementor | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Email Subscribers & Newsletters | Arbitrary Shortcode Execution (BAC) |
| Empowerment Theme | PHP Object Injection (BAC) |
| Enable Shortcodes inside Widgets,Comments and Experts | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Exam Matrix | Privilege Escalation (BAC) |
| Extensions by HocWP Team | Authentication Bypass (BAC) |
| Feed Comments Number | Arbitrary File Upload (BAC) |
| File Manager Pro | Cross-Site Request Forgery to Arbitrary File Upload (BAC) |
| File Manager Pro | Unauthenticated Backup File Download (BAC) and Upload |
| File Manager Pro | Unauthenticated Limited JavaScript File Upload (BAC) |
| FileOrganizer | Arbitrary File Upload (BAC) |
| Fonto | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Forminator | Missing Authorization (BAC) to Form Update (BAC) and Creation |
| FREE DOWNLOAD MANAGER | Arbitrary File Deletion (BAC) |
| Free Stock Photos Foter | PHP Object Injection (BAC) |
| GERRYWORKS Post by Mail | Privilege Escalation (BAC) |
| Giveaway Boost | PHP Object Injection (BAC) |
| GiveWP | Unauthenticated PHP Object Injection (BAC) to Remote Code Execution (RCE) |
| Greenshift – animation and page builder blocks | Broken Access Control (BAC) |
| GRÜN spendino Spendenformular | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| GutenKit | Unauthenticated Arbitrary File Upload (BAC) |
| Happy Addons for Elementor | Broken Access Control (BAC) |
| Hash Form | Unauthenticated Limited File Upload (BAC) |
| HD Quiz – Save Results Light | Broken Access Control (BAC) |
| Hello World | Arbitrary File Read (BAC) |
| Htaccess File Editor | Broken Access Control (BAC) |
| Hunk Companion | Missing Authorization (BAC) to Unauthenticated Arbitrary Plugin Installation and Activation |
| HurryTimer | Missing Authorization (BAC) to Arbitrary Post Publication |
| iBryl Switch User | Account Takeover (BAC) |
| Image Map Pro | Missing Authorization (BAC) to Map Project Add and Update and Delete |
| ImagePress | Cross-Site Request Forgery to Plugin Settings Update (BAC) |
| ImagePress | Missing Authorization (BAC) to Arbitrary Post Deletion (BAC) and Post Title Update (BAC) |
| Infinite-Scroll | Cross-Site Request Forgery to Plugin Settings Update (BAC) |
| INK Official | Arbitrary File Upload (BAC) |
| IP Loc8 | PHP Object Injection (BAC) |
| JiangQie Free Mini Program | Arbitrary File Upload (BAC) |
| Job Board Manager for WordPress | Privilege Escalation (BAC) |
| Kata Plus | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| KB Support | Missing Authorization (BAC) to Multiple Administrator Actions |
| KB Support | Missing Authorization (BAC) to Unauthenticated Ticket Reply Exposure |
| Landing Page Cat | Broken Access Control (BAC) |
| LatePoint | Authentication Bypass (BAC) |
| Leyka | Broken Access Control (BAC) |
| Linkz.ai | Missing Authorization (BAC) to Plugin Settings Update (BAC) |
| Linkz.ai | Missing Authorization (BAC) to Unauthenticated Plugin Settings Update (BAC) |
| LiteSpeed Cache | Privilege Escalation (BAC) |
| LocateAndFilter | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Login Protection – Limit Failed Login Attempts | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| MaanStore API | Account Takeover (BAC) |
| Mapster WP Maps | Incorrect Authorization to Arbitrary Options Update (BAC) |
| Marketing Automation by AZEXO | Arbitrary File Upload (BAC) |
| Marketing Automation by AZEXO | Privilege Escalation (BAC) |
| Masteriyo - LMS | Missing Authorization (BAC) to Privilege Escalation (BAC) |
| Meetup | Broken Authentication (BAC) |
| Miniorange OTP Verification with Firebase | Authentication Bypass (BAC) |
| Miniorange OTP Verification with Firebase | Privilege Escalation (BAC) from Registration due to Administrator Default User Role Value |
| Multiline files upload for contact form 7 | Missing Authorization (BAC) to Plugin Deactivation |
| Multi Purpose Mail Form | Arbitrary File Upload (BAC) |
| Multi Purpose Mail Form | Arbitrary File Upload (BAC) |
| Multi Step Form | Broken Access Control (BAC) |
| Mynx Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| My Reading Library | PHP Object Injection (BAC) |
| My Wp Brand – Hide menu & Hide Plugin | Broken Access Control (BAC) |
| Namaste! LMS | PHP Object Injection (BAC) |
| Nextend Social Login Pro | Authentication Bypass (BAC) |
| Nice Backgrounds | Arbitrary File Upload (BAC) |
| Notification for Telegram | Missing Authorization (BAC) |
| Order Attachments for WooCommerce 2.0 | Missing Authorization (BAC) to Limited Arbitrary File Upload (BAC) |
| Order Notification for Telegram | Missing Authorization (BAC) to Unauthenticated Send Telegram Test Message |
| Pedalo Connector | Authentication Bypass (BAC) |
| PegaPoll | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| Photo Gallery Builder | Broken Access Control (BAC) to Notice Dismissal |
| photokit | Arbitrary File Upload (BAC) |
| Plugin Propagator | Arbitrary File Upload (BAC) |
| Plug your WooCommerce into the largest catalog of customized print products from Helloprint | Arbitrary File Upload (BAC) |
| Portfolleo | Arbitrary File Upload (BAC) |
| Product Customizer Light | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Product Website Showcase | Arbitrary File Upload (BAC) |
| ProfilePress Pro | Authentication Bypass (BAC) |
| Property Lot Management System | Arbitrary File Upload (BAC) |
| PublishPress Authors | Insecure Direct Object Reference (IDOR) to Arbitrary User Email Update (BAC) and Account Takeover (BAC) |
| PWA | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| QA Analytics | Missing Authorization (BAC) to Settings Update (BAC) |
| QS Dark Mode | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| R Animated Icon | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Rank Math SEO | PHP Object Injection (BAC) |
| Rank Math SEO | Missing Authorization (BAC) to Unauthenticated User and Term Metadata Insert, Update (BAC), and Delete |
| Read more By Adam | Missing Authorization (BAC) to Read More Button Deletion (BAC) |
| Realty Workstation | Account Takeover (BAC) |
| Recently | PHP Object Injection (BAC) |
| Relogo | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Re:WP | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Robo Gallery | Missing Authorization (BAC) to Private Gallery Title Disclosure |
| Rover IDX | Missing Authorization (BAC) from Multiple Functions |
| Rover IDX | Authentication Bypass (BAC) to Administrator |
| RS-Members | Privilege Escalation (BAC) |
| RSVPMaker for Toastmasters | Arbitrary File Upload (BAC) |
| SendGrid for WordPress | Missing Authorization (BAC) to Log Deletion (BAC) |
| SEOPress | Broken Access Control (BAC) |
| SEOPress | Broken Access Control (BAC) |
| SEOPress | Unauthenticated Broken Access Control (BAC) |
| Shipyaari Shipping Management | PHP Object Injection (BAC) |
| Shortcodes AnyWhere | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| ShortPixel Image Optimizer | Broken Access Control (BAC) |
| Signup Page | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| Simple Custom Post Order | Broken Access Control (BAC) |
| Simple Membership | Open Redirection (BAC) |
| Simple User Registration | Account Takeover (BAC) |
| Sirv | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| SiteBuilder Dynamic Components | PHP Object Injection (BAC) |
| Slider Revolution | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Smart Manager | Broken Access Control (BAC) |
| Social Web Suite | Directory Traversal (BAC) to Arbitrary File Download (BAC) |
| Soumettre.fr | Missing Authorization (BAC) |
| Sovratec Case Management | Arbitrary File Upload (BAC) |
| Spice Starter Sites | Missing Authorization (BAC) to Unauthenticated Demo Content Import |
| Stackable | Unauthenticated CSS Injection (BAC) |
| Stacks Mobile App Builder | Account Takeover (BAC) |
| Stacks Mobile App Builder | Arbitrary File Upload (BAC) |
| Stars SMTP Mailer | Arbitrary File Upload (BAC) |
| Sudan Payment Gateway for WooCommerce | Arbitrary File Upload (BAC) |
| Suki Sites Import | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Sunshine Photo Cart | Broken Access Control (BAC) |
| Sunshine Photo Cart | Open Redirection (BAC) |
| SurveyJS: Drag & Drop WordPress Form Builder | Arbitrary File Upload (BAC) |
| SVG Complete | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| TAKETIN To WP Membership | PHP Object Injection (BAC) |
| Talkback | PHP Object Injection (BAC) |
| Telecash Ricaricaweb | PHP Object Injection (BAC) |
| Templately | Broken Access Control (BAC) |
| Templately | Broken Access Control (BAC) |
| Timetable and Event Schedule | Missing Authorization (BAC) |
| Timetics | Insecure Direct Object Reference (IDOR) to Unauthenticated Arbitrary User Password and Email Reset and Account Takeover (BAC) |
| Token Login | Broken Authentication (BAC) |
| Training – Courses | Arbitrary File Upload (BAC) |
| Uix Shortcodes | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| UltimateAI | Authentication Bypass (BAC) |
| UltimateAI | Limited User Password Change (BAC) due to Improper Empty and Missing Default Value Check |
| UltraPress Theme | PHP Object Injection (BAC) |
| Unseen Blog Theme | PHP Object Injection (BAC) |
| UserPlus | Registration Form Update (BAC) to Privilege Escalation (BAC) |
| User Toolkit | Account Takeover (BAC) |
| Verbalize WP | Arbitrary File Upload (BAC) |
| WatchTowerHQ | Authentication Bypass (BAC) |
| WC Marketplace | Cross-Site Request Forgery to Vendor Update (BAC)s |
| WC Marketplace | Missing Authorization (BAC) to Forged Vendor ProFile Deletion (BAC) Email Sending |
| Wechat Social login | Authentication Bypass (BAC) |
| Wechat Social login | Unauthenticated Arbitrary File Upload (BAC) |
| WooCommerce | Unauthenticated HTML Injection (BAC) |
| Woocommerce Custom Profile Picture | Arbitrary File Upload (BAC) |
| WooCommerce Order Proposal | Privilege Escalation (BAC) from Order Proposal |
| WooCommerce PDF Invoices & Packing Slips | Broken Access Control (BAC) |
| Woocommerce Product Design | Arbitrary File Deletion (BAC) |
| Woocommerce Product Design | Arbitrary File Download (BAC) |
| Woocommerce Product Design | Arbitrary File Upload (BAC) |
| WooCommerce UPS Shipping – Live Rates and Access Points | Missing Authorization (BAC) to Plugin API key reset |
| Woostagram Connect | Arbitrary File Upload (BAC) |
| WordPress Comments Import & Export | Arbitrary File Read (BAC) from Directory Traversal (BAC) |
| WordPress File Upload (BAC) | Unauthenticated Path Traversal to Arbitrary File Read (BAC) and Deletion (BAC) in wfu_file_downloaderphp |
| WordPress Gallery Plugin – Limb Image Gallery | Arbitrary File Download (BAC) |
| WordPress Gallery Plugin – Limb Image Gallery | Arbitrary File Upload (BAC) |
| WordPress Meta Data and Taxonomies Filter (MDTF) | Bypass (BAC) |
| WordPress Stripe Donation and Payment Plugin | Broken Access Control (BAC) |
| WP 2FA with Telegram | Authentication Bypass (BAC) |
| WP 2FA with Telegram | Two-Factor Authentication Bypass (BAC) |
| WP Adminify | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WP Blocks Hub | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WP Booking System | Broken Access Control (BAC) |
| WP Cleanup and Basic Functions | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WPC Shop as a Customer for WooCommerce | PHP Object Injection (BAC) |
| WPC Smart Messages for WooCommerce | Missing Authorization (BAC) to Message Activation and Deactivation |
| wpDiscuz | Authentication Bypass (BAC) |
| WP donimedia carousel | Arbitrary File Upload (BAC) |
| WP Dropbox Dropins | Arbitrary File Upload (BAC) |
| WP Hotel Booking | Arbitrary File Upload (BAC) |
| WP Popup Builder | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| WP REST API FNS | Account Takeover (BAC) |
| WP REST API FNS | Arbitrary File Upload (BAC) |
| WP RSS Aggregator | Missing Authorization (BAC) |
| WPSchoolPress | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| Wp Social | Authentication Bypass (BAC) |
| WPS Telegram Chat | Missing Authorization (BAC) to Private Information Exposure |
| WP ULike | Cross-Site Request Forgery to Statistic Deletion (BAC) |
| WP Users Masquerade | Authentication Bypass (BAC) |
| WP VR | Broken Access Control (BAC) |
| WP VR | Broken Access Control (BAC) |
| Wux Blog Editor | Authentication Bypass (BAC) to Administrator |
| Wux Blog Editor | Unauthenticated Arbitrary File Upload (BAC) |
| Youzify | Missing Authorization (BAC) to Arbitrary Attachment Deletion (BAC) |
| Zita Elementor Site Library | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 1600 |
MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
WP BAC OCT 2024: 97 Brutal WP Broken Access Control
WP BAC OCT 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC OCT 2024 is a -45% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
WP BAC SEP 2024: 176 Brutal WP Broken Access Control
WP BAC SEP 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC SEP 2024 is a +2% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
WP BAC AUG 2024: 172 Brutal WP Broken Access Control
WP BAC AUG 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC AUG 2024 is a +6% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
WP BAC JUL 2024: 163 Brutal WP Broken Access Control
WP BAC JUL 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUL 2024 is a +44% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
Table of Contents
- WP BAC NOV 2024: WP Broken Access Control
- Managed WP/Woo Security Report
- Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC NOV 2024: WP Broken Access Control Patch Management.
- Today's reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order your WP BAC NOV 2024: WP Broken Access Control Patch Management.
- Get security LIVEPATCH
- Stay informed
- Need managed WP security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.
- MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
- WP BAC OCT 2024: 97 Brutal WP Broken Access Control
- WP BAC SEP 2024: 176 Brutal WP Broken Access Control
- WP BAC AUG 2024: 172 Brutal WP Broken Access Control
- WP BAC JUL 2024: 163 Brutal WP Broken Access Control
