WP BAC APR 2024

Brutal WP BAC APR 2024: 130 WP Broken Access Control

Sponsored by:

Discover managed ACQUISITION metrics for WordPress, WooCommerce, Shopify, SaaS. Managed for you on your domain, inside your hosting account, in your country. With a good managed monitoring strategy in place, you'll gain greater transparency & visibility into your operations with a timely alerting system.

Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC APR 2024 is a +8% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.

Contact your online project manager:

Order managed services

Fast forward 2-3 years: your business is on autopilot, yet you are in control. Your 3rd party integrations still work, your partners and your customers are happy.

There hasn’t been a crisis or “online emergency” in ages, and all your reports are OK and green. Whimsical? The future is already here. Step into your future today.

WP BAC APR 2024

As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:

360 Javascript Viewer Missing Authorization (BAC) to Plugin Settings Update (BAC)
Accordion Missing Authorization (BAC) to Post Duplication
Advanced Classifieds & Directory Pro Missing Authorization (BAC) to Arbitrary Attachment Deletion (BAC)
affiliate-toolkit Missing Authorization (BAC) via atkp_create_list
affiliate-toolkit Missing Authorization (BAC) via atkp_import_product
AI Engine: ChatGPT Chatbot Arbitrary File Upload (BAC)
AI WP Writer Broken Access Control (BAC)
Ajax Load More Directory Traversal (BAC) to Arbitrary File Read (BAC)
ArtiBot Missing Authorization (BAC) to Settings Update (BAC)
Auto Affiliate Links Missing Authorization (BAC) via aalAddLink
Avada Theme Unauthenticated Sensitive Information Exposure via Form Upload (BAC) Directory Listing
Awesome Support Broken Access Control (BAC)
Backuply – Backup, Restore, Migrate and Clone Directory Traversal (BAC)
BEAR Broken Access Control (BAC)
Booking Package Price Manipulation (BAC)
Booster Elite for WooCommerce Arbitrary File Upload (BAC)
BuddyForms Missing Authorization (BAC) to Unauthenticated Media Deletion (BAC)
BuddyForms Missing Authorization (BAC)
BuddyForms Missing Authorization (BAC) to Unauthenticated Media Upload (BAC)
Build & Control Block Patterns Missing Authorization (BAC)
Bulgarisation for WooCommerce Missing Authorization (BAC)
Calendarista Basic Edition Broken Access Control (BAC)
Categorify Multiple Missing Authorization (BAC)
CGC Maintenance Mode IP Filtering Bypass (BAC)
Change Memory Limit Missing Authorization (BAC) via admin_logic()
Chauffeur Taxi Booking System for WordPress Arbitrary File Upload (BAC)
Church Admin Broken Access Control (BAC)
CM Download Manager Download Edit (BAC) via Cross-Site Request Forgery (CSRF)
CM Download Manager Download Deletion (BAC) via Cross-Site Request Forgery (CSRF)
CM Download Manager Download Unpublish (BAC) via Cross-Site Request Forgery (CSRF)
Colibri Page Builder Broken Access Control (BAC)
Colibri Page Builder Missing Authorization (BAC)
Coming Soon, Under Construction & Maintenance Mode By Dazzler Maintenance Mode Bypass (BAC)
Complianz – PDPA/CCPA Cookie Consent Cross-Site Request Forgery (CSRF) to Data Request Deletion (BAC)
Contests by Rewards Fuel Cross-Site Scripting (XSS) via Update (BAC)_rewards_fuel_api_key
Cryptocurrency Widgets – Price Ticker & Coins List Broken Access Control (BAC)
CubeWP – All-in-One Dynamic Content Framework Arbitrary File Upload (BAC)
DELUCKS SEO Broken Access Control (BAC)
DX-Watermark Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) and Cross-Site Scripting (XSS)
Easy Appointments Insufficient Authorization (BAC)
Enjoy Social Feed plugin for WordPress website Plugin Database Reset (BAC)
Error Log Viewer by BestWebSoft Directory Listing (BAC) to Private Data Exposure
Essential Blocks for Gutenberg Broken Access Control (BAC)
Event Tickets Improper Authorization (BAC) to Private Information Disclosure
EventPrime Multiple Missing Authorization (BAC)
EventPrime Multiple Missing Authorization (BAC)
EventPrime Multiple Missing Authorization (BAC)
Events Manager Broken Access Control (BAC)
File Manager Cross-Site Request Forgery (CSRF) to Local JS File Inclusion (BAC)
File Manager Directory Traversal (BAC)
File Manager Pro Directory Traversal (BAC)
Finale Lite Missing Authorization (BAC) to Unauthenticated System Private Information Disclosure
Formidable Registration Arbitrary User Password Reset (BAC) to Account Takeover
Graphene Theme Missing Authorization (BAC)
HT Easy GA4 ( Google Analytics 4 ) Missing Authorization (BAC) to Unauthenticated GA Email Update (BAC)
HT Mega Directory Traversal (BAC)
Import Export WordPress Users Path Traversal (BAC)
IP Blocker Lite Bypass (BAC)
JCH Optimize Broken Access Control (BAC)
Klarna Payments for WooCommerce Broken Access Control (BAC)
LadiApp Missing Authorization (BAC)
Layouts for Elementor Arbitrary File Upload (BAC)
Management App for WooCommerce Arbitrary File Upload (BAC)
Master Slider Cross-Site Scripting (XSS) via slider callback
MasterStudy LMS Missing Authorization (BAC) to Sensitive Information Exposure in search_posts
Max Mega Menu Broken Access Control (BAC)
Mollie Forms Missing Authorization (BAC) to Arbitrary Post Duplication
Mollie Forms Missing Authorization (BAC)
Move Addons for Elementor Broken Access Control (BAC)
MP3 Audio Player for Music, Radio & Podcast by Sonaar Broken Access Control (BAC)
Multiple Page Generator Plugin – MPG Broken Access Control (BAC)
Networker Theme Missing Authorization (BAC)
New Order Notification for Woocommerce Broken Access Control (BAC)
Newsletter IP Blacklist Bypass (BAC)
NextMove Lite Missing Authorization (BAC) to Unauthenticated System Private Information Disclosure
OceanWP Theme Missing Authorization (BAC) to Sensitive Information Exposure via LimitedLocal File Inclusion (BAC)
Olive One Click Demo Import Broken Access Control (BAC)
Order Tip for WooCommerce Missing Authorization (BAC) to Unauthenticated Data Export
Otter Blocks PRO Unauthenticated Cross-Site Scripting (XSS) via SVG Upload (BAC)
Page Builder Sandwich – Front-End Page Builder Missing Authorization (BAC) to Arbitrary Post Editing
PageLayer Broken Access Control (BAC)
Permalink Manager Lite Missing Authorization (BAC) via get_uri_editor
Permalink Manager Lite Missing Authorization (BAC) to Arbitrary post slug modification
Pie Register Unauthenticated Arbitrary File Upload (BAC)
Play.ht Missing Authorization (BAC)
Pods Missing Authorization (BAC)
Premmerce Permalink Manager for WooCommerce Local File Inclusion (BAC)
Product Import Export for WooCommerce Arbitrary File Upload (BAC)
RegistrationMagic Privilege Escalation (BAC)
Restaurant Reservations Directory Traversal (BAC) to Local File Inclusion (BAC)
RevivePress Missing Authorization (BAC)
RT Easy Builder – Advanced addons for Elementor Broken Access Control (BAC)
Salon booking system Arbitrary File Upload (BAC)
Shortcode Addons Arbitrary File Upload (BAC)
Shortcodes and extra features for Phlox Theme Broken Access Control (BAC)
Shortlinks by Pretty Links Cross-Site Request Forgery (CSRF) to Plugin Settings Update (BAC)
Simple Restrict Missing Authorization (BAC) to Sensitive Information Exposure
Simply Schedule Appointments Cross-Site Request Forgery (CSRF) to Plugin Data Reset (BAC)
Sirv Broken Access Control (BAC)
Sliced Invoices Broken Access Control (BAC)
Smart Custom Fields Missing Authorization (BAC) to Post Content Private Information Disclosure
Social Icons Widget & Block by WPZOOM Broken Access Control (BAC)
SP Project & Document Manager Broken Access Control (BAC) to Cross-Site Scripting (XSS)
Spiffy Calendar Broken Access Control (BAC)
SportsPress – Sports Club & League Manager Missing Authorization (BAC) to Unauthenticated Event Permalink Update (BAC)
Tainacan Broken Access Control (BAC)
TeraWallet – For WooCommerce Missing Authorization (BAC) to User Email Export
Testimonial Slider Settings Update (BAC)
The Plus Addons for Elementor Page Builder Lite Local File Inclusion (BAC)
Total Theme Missing Authorization (BAC) to Sections Update (BAC)
Tourfic Arbitrary File Upload (BAC)
Tumult Hype Animations Arbitrary File Upload (BAC)
Tutor LMS Missing Authorization (BAC) to Arbitrary Post Deletion (BAC)
Ultimate Gift Cards For WooCommerce Missing Authorization (BAC) to Unauthenticated Information Exposure
VS Contact Form Captcha Bypass (BAC)
weForms Broken Access Control (BAC)
Whizzy Broken Access Control (BAC)
WholesaleX Broken Access Control (BAC)
WooCommerce Add to Cart Custom Redirect Missing Authorization (BAC) to Limited Arbitrary Options Update (BAC)
WooCommerce Cloak Affiliate Links Missing Authorization (BAC) to Unauthenticated Permalink Modification
WooCommerce Clover Payment Gateway Missing Authorization (BAC) via callback_handler
WooCommerce Multilingual & Multicurrency Broken Access Control (BAC)
WP Compress – Image Optimizer [All-In-One] Missing Authorization (BAC) to Unauthenticated CDN Modification
WP Express Checkout (Accept PayPal Payments) Price Manipulation (BAC)
WP Hotel Booking Broken Access Control (BAC)
WP SendFox Broken Access Control (BAC)
Wp Social Missing Authorization (BAC) to Unauthenticated Social Login/Share Status Update (BAC)
WPC Management for WooCommerce Broken Access Control (BAC)
YITH WooCommerce Account Funds Premium Broken Access Control (BAC)
Zippy Arbitrary File Upload (BAC)
WordPress BAC & WP Broken Access Control reported in 2023: 931
WordPress BAC & WP Broken Access Control reported in 2024: 343
Contact your online project manager:

Get managed security

Fast forward 2-3 years: your business is on autopilot, yet you are in control. Your website is humming along, leads & customers are rolling in.

There hasn’t been a crisis or “website emergency” in ages, and all your charts are pointing up and to the right. Whimsical? The future is already here. Step into your future today.

Table Of Contents


A cup of coffee makes a difference ...

How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:

ultrai.ae managed online © 2023 - 2024 – All rights reserved
We’re on an empowering mission for customers, who desire not to be transformed forcefully into IT experts.
ultrai.ae

Sign up for our newsletter

We send just one email a month with technical updates.
Topics include: XSS, CSRF, SSRF, SQLi, BAC.

We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.