🔬 Conversion Rate Optimisation for your 🌐 WordPress & 🛒 WooCommerce: skyrocket sales with modern proven methods! The purpose of recurrent CRO services is to constantly improve the likelihood of visitors taking your desired action on your domain.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC APR 2025 is a +8% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| Admin and Site Enhancements (ASE) | Limit Login Attempt Bypass (BAC) from IP Spoofing |
| Administrator Z | Missing Authorization (BAC) to Options Update (BAC) |
| Ads by WPQuads | Broken Access Control (BAC) |
| Advanced Dewplayer | Broken Access Control (BAC) |
| Advanced File Manager | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Advanced iFrame | Unauthenticated Settings Update (BAC) |
| Aiomatic | Missing Authorization (BAC) to Multiple Administrator Actions |
| Aiomatic | Missing Authorization (BAC) to File Upload (BAC) |
| Altair Theme | Unauthenticated Options Update (BAC) from pp_import_current |
| Amazing service box Addons For WPBakery Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Analytify | Private Settings Change (BAC) |
| Animation Addons for Elementor Pro | Missing Authorization (BAC) to Plugin Installation/Activation (BAC) |
| Ayyash Studio | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| bbPress | Cross-Site Request Forgery (CSRF) and Limited Privilege Escalation (BAC) |
| Big Store Theme | Broken Access Control (BAC) |
| Bit Assist | Path Traversal (BAC) |
| Bitspecter Suite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Block Spam By Math Reloaded | Broken Access Control (BAC) |
| BoomBox Theme Extensions | Privilege Escalation (BAC) from Password Reset/Account Takeover (BAC) in boombox_ajax_reset_password |
| BP Email Assign Templates | Content Deletion (BAC) |
| BWL Advanced FAQ Manager | Missing Authorization (BAC) to Limited Options Update (BAC) |
| Chatbox Manager | Broken Access Control (BAC) |
| cits-support-svg-webp-media-upload | Cross-Site Request Forgery (CSRF) and Font Assignment Deletion (BAC) |
| Civi Theme | Authentication Bypass (BAC) from Non-Randomized Password for SSO Accounts |
| Civi Theme | Authentication Bypass (BAC) from Password Update |
| Clear Sucuri Cache | Broken Access Control (BAC) |
| CM Download Manager | File Deletion (BAC) |
| Code Snippets CPT | Shortcode Execution (BAC) |
| Content Control | Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure |
| Conversiosio | Broken Access Control (BAC) |
| Cookiebot | Missing Authorization (BAC) to Survey Submission |
| Cool Author Box | Broken Access Control (BAC) |
| CozyStay Theme | Missing Authorization (BAC) to Action Execution (BAC) in ajax_handler |
| CRM and Lead Management by vcita | Missing Authorization (BAC) to Widget Toggle |
| CS Framework | File Deletion (BAC) |
| CS Framework | File Read (BAC) |
| CSV to Responsive Tables | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| DesignThemes Core Features | Missing Authorization (BAC) to Unauthenticated File Read (BAC) from dt_process_imported_file |
| Directorist | Missing Authorization (BAC) to Unauthenticated Post Publishing |
| Download Manager | Path Traversal (BAC) to Limited File Overwrite |
| Drag and Drop Multiple File Upload (BAC) – Contact Form 7 | Unauthenticated File Deletion (BAC) |
| Drag and Drop Multiple File Upload (BAC) – Contact Form 7 | Unauthenticated PHP Object Injection (RCE) from PHAR to File Deletion (BAC) |
| WordPress Eco Nature - Environment & Ecology WordPress theme | Missing Authorization (BAC) to Limited Options Update (BAC) |
| Edd Google Sheet Connector Pro | Cross-Site Request Forgery (CSRF) and Access Code Update (BAC) |
| Eventin | Missing Authorization (BAC) to Unauthenticated Payment Status Update (BAC) |
| EventPrime | Missing Authorization (BAC) to Private Event Attendees Export |
| Event Tickets with Ticket Scanner | Tickets Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| Exchange Rates | Broken Access Control (BAC) |
| External image replace | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| File Away | Missing Authorization (BAC) to Unauthenticated File Read (BAC) |
| File Away | Missing Authorization (BAC) to Unauthenticated File Upload (BAC) from upload Function |
| Five Star Restaurant Reservations | Broken Access Control (BAC) |
| Flex Mag Theme | Missing Authorization (BAC) to Option Deletion (BAC) |
| Flipdish Ordering System | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| Float menu | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| FluentForm | IP-Spoofing (BAC) |
| FoodBakery | Missing Authorization (BAC) in Multiple Functions |
| FooGallery | Insecure Direct Object Reference (IDOR) to Post/Page Updates (BAC) |
| Football Pool | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| GetShop ecommerce | Path Traversal (BAC) |
| GiveWP | Missing Authorization (BAC) to Unauthenticated Earning Reports Private Disclosure from give_reports_earnings Function |
| Golo Theme | Missing Authorization (BAC) to Privilege Escalation (BAC) from Unauthenticated User Password Change |
| Google Sheet Connector for Easy Digital Downloads | Cross-Site Request Forgery (CSRF) and Access Code Update (BAC) |
| Greek Multi Tool – Fix peralinks, accents, auto create menus and more | Broken Access Control (BAC) |
| GS Logo Slider | Unauthenticated Shortcode Execution (BAC) |
| WordPress Hero Mega Menu - Responsive WordPress Menu Plugin | Missing Authorization (BAC) to Directory Deletion (BAC) |
| Homey Theme | Unauthenticated Privilege Escalation (BAC) in homey_save_profile |
| Homey Theme | Limited Authentication Bypass (BAC) due to Missing Empty Value Check |
| Image Captcha | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| Image Slider / Slideshow Pearlbells | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| Import Export WordPress Users | Directory Traversal to Limited File Deletion (BAC) from admin_log_page Function |
| Import Export WordPress Users | Directory Traversal to Limited File Read (BAC) from download_file Function |
| Industrial Theme | Missing Authorization (BAC) to Options Update (BAC) |
| Inline Image Upload for BBPress | File Upload (BAC) |
| Instant Appointment | Unauthenticated File Upload (BAC) |
| InWave Jobs | Unauthenticated Privilege Escalation (BAC) from Password Reset |
| IP Based Login | Log Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| Javo Core | Unauthenticated Privilege Escalation (BAC) in ajax_signup |
| JobCareer Theme | Missing Authorization (BAC) to Multiple Administrative Actions |
| Jobs for WordPress | File Read (BAC) |
| JS Help Desk | File Download (BAC) |
| JS Help Desk | File Deletion (BAC) |
| JS Help Desk | Broken Access Control (BAC) |
| Just Writing Statistics | Broken Access Control (BAC) |
| King Addons for Elementor | Broken Access Control (BAC) |
| Lafka Theme | Missing Authorization (BAC) to Demo Import |
| LearnPress | Broken Access Control (BAC) |
| LifterLMS | Missing Authorization (BAC) to Unauthenticated Post Trashing |
| Listingo Theme | Unauthenticated Shortcode Execution (BAC) |
| Live Forms | Private Settings Change (BAC) |
| LoginPress | Cross-Site Request Forgery (CSRF) and Options Update (BAC) |
| Material Dashboard | Privilege Escalation (BAC) |
| Menu Duplicator | Broken Access Control (BAC) |
| miniOrange Social Login and Register Pro Addon | Authentication Bypass (BAC) |
| MorningTime Lite Theme | Cross-Site Scripting (XSS)Remote Code Execution (BAC) |
| Moving Media Library | Directory Traversal to File Deletion (BAC) |
| Music Press Pro | Broken Access Control (BAC) |
| Newscrunch Theme | File Upload (BAC) |
| Newscrunch Theme | Cross-Site Request Forgery (CSRF) and File Upload (BAC) |
| Order Export & Order Import for WooCommerce | Directory Traversal to Limited File Deletion (BAC) from admin_log_page Function |
| Order Export & Order Import for WooCommerce | Directory Traversal to Limited File Read (BAC) from download_file Function |
| PageLayer | Missing Authorization (BAC) to Post Publication |
| PDF for WPForms | Shortcode Execution (BAC) |
| Photo Slideshow (Responsive) | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| PluginPass | File Download/Delete (BAC) |
| Post Meta Data Manager | Authentciated Multisite Privilege Escalation (BAC) |
| Product Import Export for WooCommerce | Directory Traversal to Limited File Read (BAC) from download_file Function |
| publish post email notification | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| Quiz Cat | Broken Access Control (BAC) |
| Realteo | Authentication Bypass (BAC) from 'do_register_user' |
| Recapture for WooCommerce | Cross-Site Request Forgery (CSRF) to Private Settings Change (BAC) |
| Resido | Missing Authorization (BAC) to Unauthenticated Server-Side Request Forgery (SSRF) and API Key Settings Update (BAC) |
| Responsive Google Map | Broken Access Control (BAC) |
| RomethemeKit For Elementor | Plugin Installation/Activation (BAC) to Remote Code Execution (RCE) |
| School Management | Account Takeover (BAC) and Privilege Escalation (BAC) |
| School Management | Missing Authorization (BAC) to Unauthenticated Post Deletion (BAC) |
| Search Filter Pro | Missing Authorization (BAC) to Private Post Meta Exposure |
| SecuPress Free | Broken Access Control (BAC) |
| SecuPress Free | Broken Access Control (BAC) |
| Secure Copy Content Protection and Content Locking | Missing Authorization (BAC) to Unauthenticated User Email Retrieval from ays_sccp_reports_user_search Function |
| Sensei LMS | Broken Access Control (BAC) |
| SEO Plugin by Squirrly SEO | Broken Access Control (BAC) |
| Service Finder Booking | Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC) |
| ShareThis Dashboard for Google Analytics | Missing Authorization (BAC) to Unauthenticated Feature Deactivation |
| Shortcode Cleaner Lite | Missing Authorization (BAC) to Private Options Export |
| Shortcodes by United Themes | Unauthenticated Shortcode Execution (BAC) |
| Simple Download Counter | File Read (BAC) |
| Simple Photo Feed | Broken Access Control (BAC) |
| Simply Schedule Appointments | Unauthenticated Shortcode Execution (BAC) |
| SMTP by BestWebSoft | File Upload (BAC) |
| SNORDIAN's H5PxAPIkatchu | Broken Access Control (BAC) |
| So-Called Air Quotes | Unauthenticated Shortcode Execution (BAC) |
| SoJ SoundSlides | File Upload (BAC) |
| Solace Extra | File Upload (BAC) |
| SoundRise Music | Options Update (BAC) |
| sourceplay-navermap | Broken Access Control (BAC) |
| Sparkling Theme | Missing Authorization (BAC) to Unauthenticated Plugin Activation/Deactivation (BAC) (BAC) |
| Specific Content For Mobile | Broken Access Control (BAC) |
| Taxi Booking Manager for WooCommerce | Broken Access Control (BAC) |
| teachPress | Cross-Site Request Forgery (CSRF) and Import Delete (BAC) |
| Terms & Conditions Per Product | Broken Access Control (BAC) |
| Textmetrics | Broken Access Control (BAC) |
| ThemeEgg ToolKit | File Upload (BAC) |
| Tickera | Broken Access Control (BAC) |
| Timetics | Broken Access Control (BAC) |
| Top Bar | Broken Access Control (BAC) |
| Traveler Theme | Broken Access Control (BAC) |
| Traveler Theme | Broken Access Control (BAC) |
| TrustReviews | Broken Access Control (BAC) |
| UiPress lite | Missing Authorization (BAC) to Options Update (BAC) |
| uListing | Privilege Escalation (BAC) |
| Ultimate Auction | Missing Authorization (BAC) to Post Deletion (BAC) |
| Ultimate Dashboard | Missing Authorization (BAC) to Plugin Modules Activation/Deactivation (BAC) |
| Ultimate Video Player | Unauthenticated File Download (BAC) |
| User Registration | Unauthenticated Privilege Escalation (BAC) |
| VidoRev Extensions | Missing Authorization (BAC) to Unauthenticated Youtube Video Import |
| VK Blocks | Missing Authorization (BAC) to Private Information Exposure |
| VW Storefront Theme | Missing Authorization (BAC) to Settings Reset |
| WC Affiliate | Missing Authorization (BAC) to Private Information Exposure from wf-export-all |
| WooMail | Missing Authorization (BAC) to SQL Injection (SQLi) |
| WordPress Awesome Import & Export Plugin - Import & Export WordPress Data | Missing Authorization (BAC) to SQL Execution (SQLi) and Privilege Escalation (BAC) |
| WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto | Cross-Site Request Forgery (CSRF) and Results Deletion (BAC) |
| Workreap Theme | Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC) |
| WP01 | File Download (BAC) |
| WPCOM Member | Authentication Bypass (BAC) from 'user_phone' |
| WP Compress – Image Optimizer [All-In-One] | Missing Authorization (BAC) from Multiple Functions |
| WP Crowdfunding | Missing Authorization (BAC) to Post Content Download |
| WPCS | Unauthenticated Shortcode Execution (BAC) |
| WPCS | Unauthenticated Shortcode Execution (BAC) |
| WPC Smart Upsell Funnel for WooCommerce | Option Update to Privilege Escalation (BAC) |
| WP ERP | Broken Access Control (BAC) |
| WpEvently | Broken Access Control (BAC) |
| WP Fast Total Search | Broken Access Control (BAC) |
| WP JobHunt | Authentication Bypass (BAC) to Candidate |
| WP JobHunt | Authentication Bypass (BAC) |
| WP JobHunt | Unauthenticated Privilege Escalation (BAC) from Password Reset/Account Takeover (BAC) |
| WP Online Contract | Missing Authorization (BAC) to Unauthenticated Settings Import |
| WP Performance Pack | Broken Access Control (BAC) |
| WP Real Estate Manager | Authentication Bypass (BAC) from Account Takeover (BAC) |
| WPSchoolPress | Missing Authorization (BAC) to User Deletion (BAC) |
| WPSchoolPress | Missing Authorization (BAC) to Privilege Escalation (BAC) from Account Takeover (BAC) |
| Your Simple SVG Support | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Zass Theme | Missing Authorization (BAC) to Demo Import |
| Z Companion | Broken Access Control (BAC) |
| Zegen Theme | Missing Authorization (BAC) to Theme Options Update (BAC)s |
| WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
| WordPress BAC & WP Broken Access Control reported in 2024: | 2024 |
| WordPress BAC & WP Broken Access Control reported in 2025: | 834 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.