WP BAC SEP 2024: WP Broken Access Control
Managed WP/Woo Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC SEP 2024 is a +2% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed WP Security.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| AcyMailing SMTP Newsletter | File Upload (BAC) via acym_extractArchive Function |
| AdRotate | Double Extension File Upload (BAC) |
| Advanced Cron Manager – debug & control | Broken Access Control (BAC) |
| affiliate-toolkit | Unauthenticated Full Path Dislcosure (BAC) |
| Amelia | Unauthenticated Full Path Disclosure (BAC) |
| AMP for WP | Broken Access Control (BAC) |
| ARMember | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| Aruba HiSpeed Cache | Broken Access Control (BAC) |
| Asset CleanUp: Page Speed Booster | Broken Access Control (BAC) |
| Atarim | Broken Access Control (BAC) |
| Atarim | Missing Authorization (BAC) to Settings Update (BAC) |
| Backup and Restore WordPress | Broken Access Control (BAC) |
| Backup and Restore WordPress | Unauthenticated Broken Access Control (BAC) |
| BerqWP | Unauthenticated File Upload (BAC) |
| Bit Form – Contact Form Plugin 2.0 | File Deletion (BAC) |
| Bit Form – Contact Form Plugin 2.0 | File Read (BAC) And Deletion (BAC) |
| Bit Form – Contact Form Plugin 2.0 | JavaScript File Upload (BAC)s |
| Bit Form Pro | File Upload (BAC) |
| Bit Form Pro | Plugin Settings Change (BAC) |
| Bit Form Pro | Unauthenticated File Deletion (BAC) |
| Bitly | Broken Access Control (BAC) |
| Blockbooster Theme | Broken Access Control (BAC) |
| Blog2Social | Cross-Site Scripting (XSS) via File Upload (BAC) |
| Blog Introduction | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| Blogpoet Theme | Broken Access Control (BAC) |
| Blox Page Builder | File Upload (BAC) |
| BookingPress | Authentication Bypass to Account Takeover (BAC) |
| Breakdance | Missing Authorization (BAC) |
| Clearfy Cache | Broken Access Control (BAC) |
| Clone | Broken Access Control (BAC) |
| Contest Gallery | Unauthenticated Comment UserID And IP address Disclosure (BAC) |
| CRM Perks Forms | File Upload (BAC) |
| Depicter Slider | File Upload (BAC) |
| Docket (WooCommerce Collections / Wishlist / Watchlist) | Unauthenticated Post/Page Deletion (BAC) |
| Droip | Settings Change (BAC)/Private Data Exposure |
| Droip | Unauthenticated File Download/Deletion (BAC) |
| Easy Digital Downloads | Broken Access Control (BAC) |
| Ebook Store | Unauthenticated Full Path Disclosure (BAC) |
| Element Pack Elementor Addons | File Read (BAC) |
| Enhanced Search Box | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| Envira Photo Gallery | Broken Access Control (BAC) |
| Event Espresso 4 Decaf | Missing Authorization (BAC) to Plugin Settings Modification (BAC) |
| EventPrime | Broken Access Control (BAC) |
| Falang multilanguage | Missing Authorization (BAC) to Translation Update (BAC) and Private Information Exposure |
| Favicon Generator | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
| Favicon Generator | File Upload (BAC) via Cross-Site Request Forgery (CSRF) |
| File Manager Pro | Plugin Settings Update (BAC) |
| File Manager Pro | File Upload (BAC) |
| Filter & Grids | Broken Authentication (BAC) |
| Flash & HTML5 Video | Broken Access Control (BAC) |
| Folders | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| Fonts | Broken Access Control (BAC) |
| FormCraft | Broken Access Control (BAC) |
| Fota WP Theme | Broken Access Control (BAC) |
| Funnelforms Free | File Deletion (BAC) |
| Funnelforms Free | File Upload (BAC) |
| Funnelforms Free | Missing Authorization (BAC) to Unauthenticated Media Upload (BAC) and Deletion (BAC) |
| Fuse Social Floating Sidebar | Cross-Site Scripting (XSS) via File Upload (BAC) |
| GeoDirectory | Broken Access Control (BAC) |
| GetPaid | Broken Access Control (BAC) |
| GiveWP | Missing Authorization (BAC) to Private Information Exposure |
| GiveWP | Missing Authorization (BAC) to Unauthenticated Event Settings Update (BAC) |
| GiveWP | Missing Authorization (BAC) to File Deletion (BAC) |
| GiveWP | Unauthenticated Full Path Disclosure (BAC) |
| Hello Agency Theme | Broken Access Control (BAC) |
| HelloAsso | Broken Access Control (BAC) |
| Hummingbird | Broken Access Control (BAC) |
| HUSKY | Privilege Escalation (BAC) |
| Icegram Collect – Easy Form, Lead Collection and Subscription plugin | Broken Access Control (BAC) |
| ILC Thickbox | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| ImageRecycle pdf & image compression | Missing Authorization (BAC) in Several AJAX Actions |
| infolinks Ad Wrap | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
| InPost for WooCommerce | Unauthenticated File Read (BAC)/Delete (BAC) |
| InPost PL | Unauthenticated File Read (BAC)/Delete (BAC) |
| JetFormBuilder | Privilege Escalation (BAC) |
| JobSearch | Unauthenticated Account Takeover (BAC) |
| JobSearch | Broken Access Control (BAC) |
| JobSearch | Broken Access Control (BAC) |
| JoomSport | Broken Access Control (BAC) |
| JS Help Desk – Best Help Desk & Support Plugin | Broken Access Control (BAC) |
| Leopard - WordPress offload media | Plugin Settings Change (BAC) |
| Linkify Text | Unauthenticated Full Path Disclosure (BAC) |
| LiteSpeed Cache | Unauthenticated Privilege Escalation (BAC) |
| Login As Users | Broken Authentication (BAC) |
| Login As Users | Broken Access Control (BAC) to Account Takeover (BAC) |
| Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| LWS Affiliation | Broken Access Control (BAC) |
| MainWP Child Reports | Cross-Site Request Forgery (CSRF) to Options Update (BAC) |
| Masteriyo - LMS | Broken Access Control (BAC) |
| Masteriyo - LMS | Broken Access Control (BAC) |
| MaxButtons | Full Path Disclosure (BAC) |
| Media Library Assistant | File Upload (BAC) via mla-inline-edit-Upload (BAC)-scripts AJAX Action |
| Media Library Folders | Missing Authorization (BAC) on Various Functions |
| Memberpress | Broken Access Control (BAC) |
| Meta Box – WordPress Custom Fields Framework | Broken Access Control (BAC) |
| Metform Elementor Contact Form Builder | Unauthenticated Double-Extension File Upload (BAC) |
| Misiek Photo Album | Album Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
| Mollie Payments for WooCommerce | Unauthenticated Full Path Disclosure (BAC) |
| MP3 Audio Player for Music, Radio & Podcast by Sonaar | Missing Authorization (BAC) to File Deletion (BAC) |
| MStore API | Authentication Bypass to Account Takeover (BAC) |
| My Custom CSS PHP & ADS | Unauthenticated Full Path Disclosure (BAC) |
| Newsletters | Unauthenticated Full Path Disclosure (BAC) |
| Newspack | Broken Access Control (BAC) |
| Ninja Tables | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| No Update Nag | Unauthenticated Full Path Disclosure (BAC) |
| Obfuscate Email | Unauthenticated Full Path Disclosure (BAC) |
| oik | File Deletion (BAC) |
| Opal Membership | Information Disclosure (BAC) |
| Orbit Fox by ThemeIsle | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| Orchid Store Theme | Missing Authorization (BAC) to Plugin Activation (BAC) |
| Order Tracking | Broken Access Control (BAC) |
| Oxygen Builder | Missing Authorization (BAC) to Stylesheet Update (BAC) |
| PDF Builder for WPForms | Unauthenticated Full Path Disclosure (BAC) |
| Permalink Manager Lite | Missing Authorization (BAC) to Unauthenticated Private Information Exposure |
| Persian WooCommerce | Broken Access Control (BAC) |
| Photo Engine | Broken Access Control (BAC) |
| Plugin Notes Plus | Content Deletion (BAC) |
| Premium Addons for Elementor | Missing Authorization (BAC) to Content Deletion (BAC) and Title Update (BAC) |
| Presto Player | Broken Access Control (BAC) |
| Print Barcode Labels for your WooCommerce products/orders | Broken Access Control (BAC) |
| Recipe Card Blocks for Gutenberg & Elementor | Broken Access Control (BAC) |
| Registrations for the Events Calendar | Broken Access Control (BAC) |
| Responsive Lightbox | Cross-Site Scripting (XSS) via File Upload (BAC) |
| Responsive Lightbox | Broken Access Control (BAC) |
| Reveal Template | Unauthenticated Full Path Disclosure (BAC) |
| Reviews Feed | Missing Authorization (BAC) to Settings Update (BAC) |
| ReviewX | Broken Access Control (BAC) |
| ReviveNews Theme | Broken Access Control (BAC) |
| Robin image optimizer | Broken Access Control (BAC) |
| Send Emails with Mandrill | Broken Access Control (BAC) |
| Sign-up Sheets | Broken Access Control (BAC) |
| Sirv | Missing Authorization (BAC) to File Upload (BAC) |
| Slider by Soliloquy | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
| Smart Online Order for Clover | Broken Access Control (BAC) |
| Smart Online Order for Clover | Missing Authorization (BAC) to Plugin Deactivation and Data Deletion (BAC) |
| Social Slider Feed | Broken Access Control (BAC) |
| Sunshine Photo Cart | Broken Access Control (BAC) |
| Superfly Menu | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
| Sync Post With Other Site | Missing Authorization (BAC) to Post Creation and Update (BAC) |
| TemplateSpare | Missing Authorization (BAC) to Theme Update (BAC) |
| Theme My Login | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
| Themify Builder | Missing Authorization (BAC) to Post Duplication |
| The Plus Addons for Elementor Page Builder Lite | Broken Access Control (BAC) |
| The Post Grid | Information Disclosure (BAC) |
| Timetics | Broken Access Control (BAC) |
| TrueBooker | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| Tutor LMS | Broken Access Control (BAC) |
| Tutor LMS Pro | Missing Authorization (BAC) to Insecure Direct Object Reference |
| TypeSquare Webfonts | Broken Access Control (BAC) |
| Ultimate Membership Pro | Unauthenticated Privilege Escalation (BAC) |
| UsersWP | Users Information Disclosure (BAC) |
| UsersWP | Broken Access Control (BAC) |
| Visual Sound (old) | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
| Waitlist Woocommerce ( Back in stock notifier ) | Broken Access Control (BAC) |
| WHMpress | Settings Change (BAC) |
| Woffice Theme | Unauthenticated Privilege Escalation (BAC) |
| WooCommerce Google Feed Manager | Missing Authorization (BAC) to Feed Actions |
| WooCommerce Google Feed Manager | Missing Authorization (BAC) to File Deletion (BAC) |
| WooCommerce PDF Vouchers | Unauthenticated File Deletion (BAC) |
| WooCommerce Social Login | Authentication Bypass to Account Takeover (BAC) |
| WOOCS – WooCommerce Currency Switcher | Broken Access Control (BAC) |
| WordPress File Upload | Broken Access Control (BAC) |
| WordPress File Upload | Unauthenticated Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
| WP Accessibility Helper (WAH) | Missing Authorization (BAC) to Settings Update (BAC) |
| WPC Frequently Bought Together for WooCommerce | Broken Access Control (BAC) |
| WP Crowdfunding | Settings Change (BAC) |
| WP Fundraising Donation and Crowdfunding Platform | Privilege Escalation (BAC) |
| WP Search Analytics | Broken Access Control (BAC) |
| WP SMS | Broken Access Control (BAC) |
| WP Social Feed Gallery | Broken Access Control (BAC) |
| WP Testimonial Widget | Missing Authorization (BAC) |
| WpTravelly | Broken Access Control (BAC) |
| YARPP | Broken Access Control (BAC) |
| YayExtra | Unauthenticated File Upload (BAC) via handle_Upload (BAC)_file Function |
| Z Y N I T H | Unauthenticated Option Deletion (BAC) |
| Z Y N I T H | Unauthenticated Plugin Settings Change (BAC) |
| WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
| WP BAC & WordPress Broken Access Control reported in 2024: | 1239 |
MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
WP BAC OCT 2024: 97 Brutal WP Broken Access Control
WP BAC OCT 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC OCT 2024 is a -45% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
WP BAC AUG 2024: 172 Brutal WP Broken Access Control
WP BAC AUG 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC AUG 2024 is a +6% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
WP BAC JUL 2024: 163 Brutal WP Broken Access Control
WP BAC JUL 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUL 2024 is a +44% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
WP BAC JUN 2024: 113 Brutal WP Broken Access Control
WP BAC JUN 2024: WP Broken Access Control Managed WP/Woo Security Report Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUN 2024 is a -58% DECREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative…
Table of Contents
- WP BAC SEP 2024: WP Broken Access Control
- Managed WP/Woo Security Report
- Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC SEP 2024: WP Broken Access Control Patch Management.
- Today's reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order your WP BAC SEP 2024: WP Broken Access Control Patch Management.
- Get security LIVEPATCH
- Stay informed
- Need managed WP security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.
- MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
- WP BAC OCT 2024: 97 Brutal WP Broken Access Control
- WP BAC AUG 2024: 172 Brutal WP Broken Access Control
- WP BAC JUL 2024: 163 Brutal WP Broken Access Control
- WP BAC JUN 2024: 113 Brutal WP Broken Access Control
