Discover Tuta Mail: Turn ON Privacy. Take back your data with Tuta's encrypted email, calendar and contacts.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC APR 2024 is a +8% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| 360 Javascript Viewer | Missing Authorization (BAC) to Plugin Settings Update (BAC) |
| Accordion | Missing Authorization (BAC) to Post Duplication |
| Advanced Classifieds & Directory Pro | Missing Authorization (BAC) to Arbitrary Attachment Deletion (BAC) |
| affiliate-toolkit | Missing Authorization (BAC) via atkp_create_list |
| affiliate-toolkit | Missing Authorization (BAC) via atkp_import_product |
| AI Engine: ChatGPT Chatbot | Arbitrary File Upload (BAC) |
| AI WP Writer | Broken Access Control (BAC) |
| Ajax Load More | Directory Traversal (BAC) to Arbitrary File Read (BAC) |
| ArtiBot | Missing Authorization (BAC) to Settings Update (BAC) |
| Auto Affiliate Links | Missing Authorization (BAC) via aalAddLink |
| Avada Theme | Unauthenticated Sensitive Information Exposure via Form Upload (BAC) Directory Listing |
| Awesome Support | Broken Access Control (BAC) |
| Backuply – Backup, Restore, Migrate and Clone | Directory Traversal (BAC) |
| BEAR | Broken Access Control (BAC) |
| Booking Package | Price Manipulation (BAC) |
| Booster Elite for WooCommerce | Arbitrary File Upload (BAC) |
| BuddyForms | Missing Authorization (BAC) to Unauthenticated Media Deletion (BAC) |
| BuddyForms | Missing Authorization (BAC) |
| BuddyForms | Missing Authorization (BAC) to Unauthenticated Media Upload (BAC) |
| Build & Control Block Patterns | Missing Authorization (BAC) |
| Bulgarisation for WooCommerce | Missing Authorization (BAC) |
| Calendarista Basic Edition | Broken Access Control (BAC) |
| Categorify | Multiple Missing Authorization (BAC) |
| CGC Maintenance Mode | IP Filtering Bypass (BAC) |
| Change Memory Limit | Missing Authorization (BAC) via admin_logic() |
| Chauffeur Taxi Booking System for WordPress | Arbitrary File Upload (BAC) |
| Church Admin | Broken Access Control (BAC) |
| CM Download Manager | Download Edit (BAC) via Cross-Site Request Forgery (CSRF) |
| CM Download Manager | Download Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
| CM Download Manager | Download Unpublish (BAC) via Cross-Site Request Forgery (CSRF) |
| Colibri Page Builder | Broken Access Control (BAC) |
| Colibri Page Builder | Missing Authorization (BAC) |
| Coming Soon, Under Construction & Maintenance Mode By Dazzler | Maintenance Mode Bypass (BAC) |
| Complianz – PDPA/CCPA Cookie Consent | Cross-Site Request Forgery (CSRF) to Data Request Deletion (BAC) |
| Contests by Rewards Fuel | Cross-Site Scripting (XSS) via Update (BAC)_rewards_fuel_api_key |
| Cryptocurrency Widgets – Price Ticker & Coins List | Broken Access Control (BAC) |
| CubeWP – All-in-One Dynamic Content Framework | Arbitrary File Upload (BAC) |
| DELUCKS SEO | Broken Access Control (BAC) |
| DX-Watermark | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) and Cross-Site Scripting (XSS) |
| Easy Appointments | Insufficient Authorization (BAC) |
| Enjoy Social Feed plugin for WordPress website | Plugin Database Reset (BAC) |
| Error Log Viewer by BestWebSoft | Directory Listing (BAC) to Private Data Exposure |
| Essential Blocks for Gutenberg | Broken Access Control (BAC) |
| Event Tickets | Improper Authorization (BAC) to Private Information Disclosure |
| EventPrime | Multiple Missing Authorization (BAC) |
| EventPrime | Multiple Missing Authorization (BAC) |
| EventPrime | Multiple Missing Authorization (BAC) |
| Events Manager | Broken Access Control (BAC) |
| File Manager | Cross-Site Request Forgery (CSRF) to Local JS File Inclusion (BAC) |
| File Manager | Directory Traversal (BAC) |
| File Manager Pro | Directory Traversal (BAC) |
| Finale Lite | Missing Authorization (BAC) to Unauthenticated System Private Information Disclosure |
| Formidable Registration | Arbitrary User Password Reset (BAC) to Account Takeover |
| Graphene Theme | Missing Authorization (BAC) |
| HT Easy GA4 ( Google Analytics 4 ) | Missing Authorization (BAC) to Unauthenticated GA Email Update (BAC) |
| HT Mega | Directory Traversal (BAC) |
| Import Export WordPress Users | Path Traversal (BAC) |
| IP Blocker Lite | Bypass (BAC) |
| JCH Optimize | Broken Access Control (BAC) |
| Klarna Payments for WooCommerce | Broken Access Control (BAC) |
| LadiApp | Missing Authorization (BAC) |
| Layouts for Elementor | Arbitrary File Upload (BAC) |
| Management App for WooCommerce | Arbitrary File Upload (BAC) |
| Master Slider | Cross-Site Scripting (XSS) via slider callback |
| MasterStudy LMS | Missing Authorization (BAC) to Sensitive Information Exposure in search_posts |
| Max Mega Menu | Broken Access Control (BAC) |
| Mollie Forms | Missing Authorization (BAC) to Arbitrary Post Duplication |
| Mollie Forms | Missing Authorization (BAC) |
| Move Addons for Elementor | Broken Access Control (BAC) |
| MP3 Audio Player for Music, Radio & Podcast by Sonaar | Broken Access Control (BAC) |
| Multiple Page Generator Plugin – MPG | Broken Access Control (BAC) |
| Networker Theme | Missing Authorization (BAC) |
| New Order Notification for Woocommerce | Broken Access Control (BAC) |
| Newsletter | IP Blacklist Bypass (BAC) |
| NextMove Lite | Missing Authorization (BAC) to Unauthenticated System Private Information Disclosure |
| OceanWP Theme | Missing Authorization (BAC) to Sensitive Information Exposure via LimitedLocal File Inclusion (BAC) |
| Olive One Click Demo Import | Broken Access Control (BAC) |
| Order Tip for WooCommerce | Missing Authorization (BAC) to Unauthenticated Data Export |
| Otter Blocks PRO | Unauthenticated Cross-Site Scripting (XSS) via SVG Upload (BAC) |
| Page Builder Sandwich – Front-End Page Builder | Missing Authorization (BAC) to Arbitrary Post Editing |
| PageLayer | Broken Access Control (BAC) |
| Permalink Manager Lite | Missing Authorization (BAC) via get_uri_editor |
| Permalink Manager Lite | Missing Authorization (BAC) to Arbitrary post slug modification |
| Pie Register | Unauthenticated Arbitrary File Upload (BAC) |
| Play.ht | Missing Authorization (BAC) |
| Pods | Missing Authorization (BAC) |
| Premmerce Permalink Manager for WooCommerce | Local File Inclusion (BAC) |
| Product Import Export for WooCommerce | Arbitrary File Upload (BAC) |
| RegistrationMagic | Privilege Escalation (BAC) |
| Restaurant Reservations | Directory Traversal (BAC) to Local File Inclusion (BAC) |
| RevivePress | Missing Authorization (BAC) |
| RT Easy Builder – Advanced addons for Elementor | Broken Access Control (BAC) |
| Salon booking system | Arbitrary File Upload (BAC) |
| Shortcode Addons | Arbitrary File Upload (BAC) |
| Shortcodes and extra features for Phlox Theme | Broken Access Control (BAC) |
| Shortlinks by Pretty Links | Cross-Site Request Forgery (CSRF) to Plugin Settings Update (BAC) |
| Simple Restrict | Missing Authorization (BAC) to Sensitive Information Exposure |
| Simply Schedule Appointments | Cross-Site Request Forgery (CSRF) to Plugin Data Reset (BAC) |
| Sirv | Broken Access Control (BAC) |
| Sliced Invoices | Broken Access Control (BAC) |
| Smart Custom Fields | Missing Authorization (BAC) to Post Content Private Information Disclosure |
| Social Icons Widget & Block by WPZOOM | Broken Access Control (BAC) |
| SP Project & Document Manager | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
| Spiffy Calendar | Broken Access Control (BAC) |
| SportsPress – Sports Club & League Manager | Missing Authorization (BAC) to Unauthenticated Event Permalink Update (BAC) |
| Tainacan | Broken Access Control (BAC) |
| TeraWallet – For WooCommerce | Missing Authorization (BAC) to User Email Export |
| Testimonial Slider | Settings Update (BAC) |
| The Plus Addons for Elementor Page Builder Lite | Local File Inclusion (BAC) |
| Total Theme | Missing Authorization (BAC) to Sections Update (BAC) |
| Tourfic | Arbitrary File Upload (BAC) |
| Tumult Hype Animations | Arbitrary File Upload (BAC) |
| Tutor LMS | Missing Authorization (BAC) to Arbitrary Post Deletion (BAC) |
| Ultimate Gift Cards For WooCommerce | Missing Authorization (BAC) to Unauthenticated Information Exposure |
| VS Contact Form | Captcha Bypass (BAC) |
| weForms | Broken Access Control (BAC) |
| Whizzy | Broken Access Control (BAC) |
| WholesaleX | Broken Access Control (BAC) |
| WooCommerce Add to Cart Custom Redirect | Missing Authorization (BAC) to Limited Arbitrary Options Update (BAC) |
| WooCommerce Cloak Affiliate Links | Missing Authorization (BAC) to Unauthenticated Permalink Modification |
| WooCommerce Clover Payment Gateway | Missing Authorization (BAC) via callback_handler |
| WooCommerce Multilingual & Multicurrency | Broken Access Control (BAC) |
| WP Compress – Image Optimizer [All-In-One] | Missing Authorization (BAC) to Unauthenticated CDN Modification |
| WP Express Checkout (Accept PayPal Payments) | Price Manipulation (BAC) |
| WP Hotel Booking | Broken Access Control (BAC) |
| WP SendFox | Broken Access Control (BAC) |
| Wp Social | Missing Authorization (BAC) to Unauthenticated Social Login/Share Status Update (BAC) |
| WPC Management for WooCommerce | Broken Access Control (BAC) |
| YITH WooCommerce Account Funds Premium | Broken Access Control (BAC) |
| Zippy | Arbitrary File Upload (BAC) |
| WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
| WordPress BAC & WP Broken Access Control reported in 2024: | 343 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.