WP BAC SEP 2024: WP Broken Access Control
Managed WP/Woo Security Report
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC SEP 2024 is a +2% INCREASE compared to previous month. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed WP Security.
The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
AcyMailing SMTP Newsletter | File Upload (BAC) via acym_extractArchive Function |
AdRotate | Double Extension File Upload (BAC) |
Advanced Cron Manager – debug & control | Broken Access Control (BAC) |
affiliate-toolkit | Unauthenticated Full Path Dislcosure (BAC) |
Amelia | Unauthenticated Full Path Disclosure (BAC) |
AMP for WP | Broken Access Control (BAC) |
ARMember | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Aruba HiSpeed Cache | Broken Access Control (BAC) |
Asset CleanUp: Page Speed Booster | Broken Access Control (BAC) |
Atarim | Broken Access Control (BAC) |
Atarim | Missing Authorization (BAC) to Settings Update (BAC) |
Backup and Restore WordPress | Broken Access Control (BAC) |
Backup and Restore WordPress | Unauthenticated Broken Access Control (BAC) |
BerqWP | Unauthenticated File Upload (BAC) |
Bit Form – Contact Form Plugin 2.0 | File Deletion (BAC) |
Bit Form – Contact Form Plugin 2.0 | File Read (BAC) And Deletion (BAC) |
Bit Form – Contact Form Plugin 2.0 | JavaScript File Upload (BAC)s |
Bit Form Pro | File Upload (BAC) |
Bit Form Pro | Plugin Settings Change (BAC) |
Bit Form Pro | Unauthenticated File Deletion (BAC) |
Bitly | Broken Access Control (BAC) |
Blockbooster Theme | Broken Access Control (BAC) |
Blog2Social | Cross-Site Scripting (XSS) via File Upload (BAC) |
Blog Introduction | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
Blogpoet Theme | Broken Access Control (BAC) |
Blox Page Builder | File Upload (BAC) |
BookingPress | Authentication Bypass to Account Takeover (BAC) |
Breakdance | Missing Authorization (BAC) |
Clearfy Cache | Broken Access Control (BAC) |
Clone | Broken Access Control (BAC) |
Contest Gallery | Unauthenticated Comment UserID And IP address Disclosure (BAC) |
CRM Perks Forms | File Upload (BAC) |
Depicter Slider | File Upload (BAC) |
Docket (WooCommerce Collections / Wishlist / Watchlist) | Unauthenticated Post/Page Deletion (BAC) |
Droip | Settings Change (BAC)/Private Data Exposure |
Droip | Unauthenticated File Download/Deletion (BAC) |
Easy Digital Downloads | Broken Access Control (BAC) |
Ebook Store | Unauthenticated Full Path Disclosure (BAC) |
Element Pack Elementor Addons | File Read (BAC) |
Enhanced Search Box | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
Envira Photo Gallery | Broken Access Control (BAC) |
Event Espresso 4 Decaf | Missing Authorization (BAC) to Plugin Settings Modification (BAC) |
EventPrime | Broken Access Control (BAC) |
Falang multilanguage | Missing Authorization (BAC) to Translation Update (BAC) and Private Information Exposure |
Favicon Generator | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
Favicon Generator | File Upload (BAC) via Cross-Site Request Forgery (CSRF) |
File Manager Pro | Plugin Settings Update (BAC) |
File Manager Pro | File Upload (BAC) |
Filter & Grids | Broken Authentication (BAC) |
Flash & HTML5 Video | Broken Access Control (BAC) |
Folders | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Fonts | Broken Access Control (BAC) |
FormCraft | Broken Access Control (BAC) |
Fota WP Theme | Broken Access Control (BAC) |
Funnelforms Free | File Deletion (BAC) |
Funnelforms Free | File Upload (BAC) |
Funnelforms Free | Missing Authorization (BAC) to Unauthenticated Media Upload (BAC) and Deletion (BAC) |
Fuse Social Floating Sidebar | Cross-Site Scripting (XSS) via File Upload (BAC) |
GeoDirectory | Broken Access Control (BAC) |
GetPaid | Broken Access Control (BAC) |
GiveWP | Missing Authorization (BAC) to Private Information Exposure |
GiveWP | Missing Authorization (BAC) to Unauthenticated Event Settings Update (BAC) |
GiveWP | Missing Authorization (BAC) to File Deletion (BAC) |
GiveWP | Unauthenticated Full Path Disclosure (BAC) |
Hello Agency Theme | Broken Access Control (BAC) |
HelloAsso | Broken Access Control (BAC) |
Hummingbird | Broken Access Control (BAC) |
HUSKY | Privilege Escalation (BAC) |
Icegram Collect – Easy Form, Lead Collection and Subscription plugin | Broken Access Control (BAC) |
ILC Thickbox | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
ImageRecycle pdf & image compression | Missing Authorization (BAC) in Several AJAX Actions |
infolinks Ad Wrap | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
InPost for WooCommerce | Unauthenticated File Read (BAC)/Delete (BAC) |
InPost PL | Unauthenticated File Read (BAC)/Delete (BAC) |
JetFormBuilder | Privilege Escalation (BAC) |
JobSearch | Unauthenticated Account Takeover (BAC) |
JobSearch | Broken Access Control (BAC) |
JobSearch | Broken Access Control (BAC) |
JoomSport | Broken Access Control (BAC) |
JS Help Desk – Best Help Desk & Support Plugin | Broken Access Control (BAC) |
Leopard - WordPress offload media | Plugin Settings Change (BAC) |
Linkify Text | Unauthenticated Full Path Disclosure (BAC) |
LiteSpeed Cache | Unauthenticated Privilege Escalation (BAC) |
Login As Users | Broken Authentication (BAC) |
Login As Users | Broken Access Control (BAC) to Account Takeover (BAC) |
Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
LWS Affiliation | Broken Access Control (BAC) |
MainWP Child Reports | Cross-Site Request Forgery (CSRF) to Options Update (BAC) |
Masteriyo - LMS | Broken Access Control (BAC) |
Masteriyo - LMS | Broken Access Control (BAC) |
MaxButtons | Full Path Disclosure (BAC) |
Media Library Assistant | File Upload (BAC) via mla-inline-edit-Upload (BAC)-scripts AJAX Action |
Media Library Folders | Missing Authorization (BAC) on Various Functions |
Memberpress | Broken Access Control (BAC) |
Meta Box – WordPress Custom Fields Framework | Broken Access Control (BAC) |
Metform Elementor Contact Form Builder | Unauthenticated Double-Extension File Upload (BAC) |
Misiek Photo Album | Album Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
Mollie Payments for WooCommerce | Unauthenticated Full Path Disclosure (BAC) |
MP3 Audio Player for Music, Radio & Podcast by Sonaar | Missing Authorization (BAC) to File Deletion (BAC) |
MStore API | Authentication Bypass to Account Takeover (BAC) |
My Custom CSS PHP & ADS | Unauthenticated Full Path Disclosure (BAC) |
Newsletters | Unauthenticated Full Path Disclosure (BAC) |
Newspack | Broken Access Control (BAC) |
Ninja Tables | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
No Update Nag | Unauthenticated Full Path Disclosure (BAC) |
Obfuscate Email | Unauthenticated Full Path Disclosure (BAC) |
oik | File Deletion (BAC) |
Opal Membership | Information Disclosure (BAC) |
Orbit Fox by ThemeIsle | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Orchid Store Theme | Missing Authorization (BAC) to Plugin Activation (BAC) |
Order Tracking | Broken Access Control (BAC) |
Oxygen Builder | Missing Authorization (BAC) to Stylesheet Update (BAC) |
PDF Builder for WPForms | Unauthenticated Full Path Disclosure (BAC) |
Permalink Manager Lite | Missing Authorization (BAC) to Unauthenticated Private Information Exposure |
Persian WooCommerce | Broken Access Control (BAC) |
Photo Engine | Broken Access Control (BAC) |
Plugin Notes Plus | Content Deletion (BAC) |
Premium Addons for Elementor | Missing Authorization (BAC) to Content Deletion (BAC) and Title Update (BAC) |
Presto Player | Broken Access Control (BAC) |
Print Barcode Labels for your WooCommerce products/orders | Broken Access Control (BAC) |
Recipe Card Blocks for Gutenberg & Elementor | Broken Access Control (BAC) |
Registrations for the Events Calendar | Broken Access Control (BAC) |
Responsive Lightbox | Cross-Site Scripting (XSS) via File Upload (BAC) |
Responsive Lightbox | Broken Access Control (BAC) |
Reveal Template | Unauthenticated Full Path Disclosure (BAC) |
Reviews Feed | Missing Authorization (BAC) to Settings Update (BAC) |
ReviewX | Broken Access Control (BAC) |
ReviveNews Theme | Broken Access Control (BAC) |
Robin image optimizer | Broken Access Control (BAC) |
Send Emails with Mandrill | Broken Access Control (BAC) |
Sign-up Sheets | Broken Access Control (BAC) |
Sirv | Missing Authorization (BAC) to File Upload (BAC) |
Slider by Soliloquy | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
Smart Online Order for Clover | Broken Access Control (BAC) |
Smart Online Order for Clover | Missing Authorization (BAC) to Plugin Deactivation and Data Deletion (BAC) |
Social Slider Feed | Broken Access Control (BAC) |
Sunshine Photo Cart | Broken Access Control (BAC) |
Superfly Menu | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
Sync Post With Other Site | Missing Authorization (BAC) to Post Creation and Update (BAC) |
TemplateSpare | Missing Authorization (BAC) to Theme Update (BAC) |
Theme My Login | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
Themify Builder | Missing Authorization (BAC) to Post Duplication |
The Plus Addons for Elementor Page Builder Lite | Broken Access Control (BAC) |
The Post Grid | Information Disclosure (BAC) |
Timetics | Broken Access Control (BAC) |
TrueBooker | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
Tutor LMS | Broken Access Control (BAC) |
Tutor LMS Pro | Missing Authorization (BAC) to Insecure Direct Object Reference |
TypeSquare Webfonts | Broken Access Control (BAC) |
Ultimate Membership Pro | Unauthenticated Privilege Escalation (BAC) |
UsersWP | Users Information Disclosure (BAC) |
UsersWP | Broken Access Control (BAC) |
Visual Sound (old) | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
Waitlist Woocommerce ( Back in stock notifier ) | Broken Access Control (BAC) |
WHMpress | Settings Change (BAC) |
Woffice Theme | Unauthenticated Privilege Escalation (BAC) |
WooCommerce Google Feed Manager | Missing Authorization (BAC) to Feed Actions |
WooCommerce Google Feed Manager | Missing Authorization (BAC) to File Deletion (BAC) |
WooCommerce PDF Vouchers | Unauthenticated File Deletion (BAC) |
WooCommerce Social Login | Authentication Bypass to Account Takeover (BAC) |
WOOCS – WooCommerce Currency Switcher | Broken Access Control (BAC) |
WordPress File Upload | Broken Access Control (BAC) |
WordPress File Upload | Unauthenticated Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
WP Accessibility Helper (WAH) | Missing Authorization (BAC) to Settings Update (BAC) |
WPC Frequently Bought Together for WooCommerce | Broken Access Control (BAC) |
WP Crowdfunding | Settings Change (BAC) |
WP Fundraising Donation and Crowdfunding Platform | Privilege Escalation (BAC) |
WP Search Analytics | Broken Access Control (BAC) |
WP SMS | Broken Access Control (BAC) |
WP Social Feed Gallery | Broken Access Control (BAC) |
WP Testimonial Widget | Missing Authorization (BAC) |
WpTravelly | Broken Access Control (BAC) |
YARPP | Broken Access Control (BAC) |
YayExtra | Unauthenticated File Upload (BAC) via handle_Upload (BAC)_file Function |
Z Y N I T H | Unauthenticated Option Deletion (BAC) |
Z Y N I T H | Unauthenticated Plugin Settings Change (BAC) |
WP BAC & WordPress Broken Access Control reported in 2023: | 931 |
WP BAC & WordPress Broken Access Control reported in 2024: | 1239 |
MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
Table of Contents
- WP BAC SEP 2024: WP Broken Access Control
- Managed WP/Woo Security Report
- Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your WP BAC SEP 2024: WP Broken Access Control Patch Management.
- Today's reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order your WP BAC SEP 2024: WP Broken Access Control Patch Management.
- Let's help with these .... BAD news
- Get NEXT vulnerability alert:
- Need managed WP security and got no clue where to start? Hire an expert. Pay a coffee per week or figure it out yourself.
- MANAGED WP/Woo SECURITY: WP Broken Access Control – WP Broken Access Control Related Posts
- WP BAC OCT 2024: 97 Brutal WP Broken Access Control
- WP BAC AUG 2024: 172 Brutal WP Broken Access Control
- WP BAC JUL 2024: 163 Brutal WP Broken Access Control
- WP BAC JUN 2024: 113 Brutal WP Broken Access Control