Discover Tuta Mail: Turn ON Privacy. Take back your data with Tuta's encrypted email, calendar and contacts.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC AUG 2024 is a +6% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
Academy LMS | Broken Access Control (BAC) |
Add Admin CSS | Unauthenticated Full Path Disclosure (BAC) |
Add Admin JavaScript | Unauthenticated Full Path Disclosure (BAC) |
Addonify | Unauthenticated Full Path Disclosure (BAC) |
Admin Post Navigation | Unauthenticated Full Path Disclosure (BAC) |
Admin Trim Interface | Unauthenticated Full Path Disclosure (BAC) |
Advanced AJAX Page Loader | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
Affiliate Manager | Profile Update (BAC) via Cross-Site Request Forgery (CSRF) |
Affiliate Manager | Affiliate Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
AForms | Unauthenticated Full Path Disclosure (BAC) |
AMP for WP | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Aramex Shipping WooCommerce | Unauthenticated Full Path Disclosure (BAC) |
Arconix FAQ | Broken Access Control (BAC) |
Arconix Shortcodes | Broken Access Control (BAC) |
ArtPlacer Widget | Arbitrary Widget Deletion (BAC) |
Atarim | Broken Access Control (BAC) |
aThemes Starter Sites | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Attachment File Icons | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
Auto Featured Image (Auto Post Thumbnail) | Broken Access Control (BAC) |
Backup and Staging by WP Time Capsule | Authentication Bypass and Privilege Escalation (BAC) |
Bakes And Cakes Theme | Broken Access Control (BAC) on Notice Dismissal |
Bit Form – Contact Form Plugin | Arbitrary File Upload (BAC) |
BookingPress | Arbitrary File Read to Arbitrary File Creation (BAC) |
BookingPress | Missing Authorization (BAC) to Arbitrary Options Update (BAC) and Arbitrary File Upload (BAC) |
Booking Ultra Pro | Missing Authorization (BAC) to Plugin Settings Updates (BAC) |
BookYourTravel Theme | Privilege Escalation (BAC) |
Branda | Unauthenticated Full Path Disclosure (BAC) |
Brizy – Page Builder | Arbitrary File Upload (BAC) |
Brizy – Page Builder | Missing Authorization (BAC) to Post Modification (BAC) |
Business Card | File Upload (BAC) |
Business One Page Theme | Broken Access Control (BAC) on Notice Dismissal |
Campaign Monitor for WordPress | Unauthenticated Full Path Disclosure (BAC) |
Chained Quiz | Broken Access Control (BAC) |
Charitable | Broken Access Control (BAC) |
Church Admin | Arbitrary File Upload (BAC) |
CM On Demand Search And Replace | Plugin Reset (BAC) via Cross-Site Request Forgery (CSRF) |
Comment Images Reloaded | Arbitrary Media Deletion (BAC) |
Community Events | Event Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
Conditional Fields for Contact Form | Cross-Site Request Forgery (CSRF) to Plugin Setting Reset (BAC) |
Cost Calculator Builder | Missing Authorization (BAC) to Arbitrary Content Creation (BAC) |
CRM Perks Forms | Broken Access Control (BAC) |
CTX Feed | Arbitrary Options Update (BAC) |
Custom Query Blocks | Broken Access Control (BAC) |
Default Thumbnail Plus | Arbitrary File Upload (BAC) |
Duplica | Missing Authorization (BAC) to Users/Posts Duplicates Creation (BAC) |
Duplicator | Full Path Disclosure (BAC) |
EazyDocs | Broken Access Control (BAC) |
EleForms | Broken Access Control (BAC) |
Email Subscribers & Newsletters | Missing Authorization (BAC) |
EmbedPress | Broken Access Control (BAC) |
Eventin | Missing Authorization (BAC) to Event Data Import |
EventON | Missing Authorization (BAC) to Unauthenticated Cross-Site Scripting (XSS) and Plugin Settings Updates (BAC) |
Featured Image from URL | Broken Access Control (BAC) |
Featured Image Generator | Missing Authorization (BAC) to Images Upload (BAC) |
File Manager Advanced Shortcode | Arbitrary File Upload (BAC) |
Funnel Builder for WordPress by FunnelKit | Cross-Site Scripting (XSS) via SVG Upload (BAC) |
Funnel Builder for WordPress by FunnelKit | Missing Authorization (BAC) to Settings Update (BAC) |
Generate PDF using Contact Form | Cross-Site Request Forgery (CSRF) to Arbitrary File Deletion (BAC) |
Generate PDF using Contact Form | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
Get Better Reviews for WooCommerce | Broken Access Control (BAC) |
Glossary | Unauthenticated Full Path Disclosure (BAC) |
Gravity Forms: Multiple Form Instances | Unauthenticated Full Path Disclosure (BAC) |
Hide My WP Ghost | Hidden Login Page Disclosure (BAC) |
IgnitionDeck | Missing Authorization (BAC) |
IMGspider | Arbitrary File Upload (BAC) |
Import Spreadsheets from Microsoft Excel | Arbitrary File Upload (BAC) |
Insert or Embed Articulate Content into WordPress | Arbitrary File Upload (BAC) |
Intelligence | Unauthenticated Full Path Disclosure (BAC) |
iPanorama 3 WordPress Virtual Tour Builder | Broken Access Control (BAC) |
IQ Testimonials | Unauthenticated Arbitrary File Upload (BAC) |
JetThemeCore | Arbitrary File Deletion (BAC) |
Jobmonster Theme | Unauthenticated Arbitrary File Deletion (BAC) |
Jobmonster Theme | Unauthenticated Privilege Escalation (BAC) |
JSON API User | Unauthenticated Privilege Escalation (BAC) |
Just Custom Fields | Missing Authorization (BAC) via AJAX actions |
Keydatas | Unauthenticated Arbitrary File Upload (BAC) |
Language Translate Widget for WordPress – ConveyThis | Nonarbitrary Options Update (BAC) |
Laposta | Unauthenticated Full Path Disclosure (BAC) |
LearnDash LMS – Reports | Missing Authorization (BAC) to Plugin Settings Update (BAC) |
LearnPress | Missing Authorization (BAC) to Unauthenticated User Registration Bypass |
Light Poll | Poll Answers Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
MasterStudy LMS | Privilege Escalation (BAC) to Instructor |
MaxiBlocks | Arbitrary File Deletion (BAC) |
Media Hygiene | Missing Authorization (BAC) to Arbitrary Attachment Deletion (BAC) |
Media.net Ads Manager | Missing Authorization (BAC) to Arbitrary File Upload (BAC) |
Meks Video Importer | Broken Access Control (BAC) |
Metro Magazine Theme | Broken Access Control (BAC) on Notice Dismissal |
Modern Events Calendar | Arbitrary File Upload (BAC) |
Modern Events Calendar Lite | Arbitrary File Upload (BAC) |
Motors – Car Dealer & Classified Ads | Missing Authorization (BAC) |
Newsmatic Theme | Broken Access Control (BAC) |
Newspack Content Converter | Broken Access Control (BAC) |
Newspack Newsletters | Broken Access Control (BAC) |
Noptin | Broken Access Control (BAC) |
One Click Close Comments | Unauthenticated Full Path Disclosure (BAC) |
One Click Order ReOrder | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
Optimize images ALT Text (alt tag) & names for SEO using AI | Unauthenticated Full Path Disclosure (BAC) |
Packlink PRO shipping module | Broken Access Control (BAC) |
Pardakht Delkhah | Form Fields Reset (BAC) via Cross-Site Request Forgery (CSRF) |
Payflex Payment Gateway | Missing Authorization (BAC) to Order Status Update |
Pie Register | Missing Authorization (BAC) to Arbitrary Plugin Installation and Activation/Deactivation |
Plum: Spin Wheel & Email Popup | Broken Access Control (BAC) |
Plum: Spin Wheel & Email Popup | Broken Access Control (BAC) to Unauthenticated Cross-Site Scripting (XSS) |
PowerPack for Beaver Builder | Privilege Escalation (BAC) |
PowerPack Pro for Elementor | Privilege Escalation (BAC) |
Pricing Table | Missing Authorization (BAC) |
Product Delivery Date for WooCommerce – Lite | Broken Access Control (BAC) |
Product Designer | Arbitrary Content Deletion (BAC) |
Product Designer | Missing Authorization (BAC) to Unauthenticated Arbitrary Attachment Deletion (BAC) |
Profile Builder | Unauthenticated Media Upload (BAC) |
ProfileGrid | Broken Access Control (BAC) |
ProfileGrid | Privilege Escalation (BAC) |
Quotes And Tips | Arbitrary File Upload (BAC) |
Realtyna Organic IDX plugin | Arbitrary File Upload (BAC) |
ReDi Restaurant Reservation | Broken Access Control (BAC) |
Redux Framework | Unauthenticated JSON File Upload (BAC) to Cross-Site Scripting (XSS) |
Responsive Image Gallery, Gallery Album | Broken Access Control (BAC) |
SchedulePress | Unauthenticated Full Path Disclosure (BAC) |
ScrollTo Bottom | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
ScrollTo Top | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
Seraphinite Accelerator (Full, premium) | Cross-Site Request Forgery (CSRF) Leading to Arbitrary File Deletion (BAC) |
Seraphinite Post .DOCX Source | Broken Access Control (BAC) |
Simple Photoswipe | Arbitrary Settings Update (BAC) |
Sirv | Missing Authorization (BAC) to Plugin Settings Update (BAC) |
SiteGround Security | Broken Access Control (BAC) |
SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer | Unauthenticated Full Path Disclosure (BAC) |
Social Auto Poster | Arbitrary File Upload (BAC) |
Social Auto Poster | Missing Authorization (BAC) to Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template |
Social Auto Poster | Missing Authorization (BAC) to Unauthenticated Arbitrary Post Deletion (BAC) |
Social Auto Poster | Missing Authorization (BAC) via Multiple Functions |
Spectra | Broken Access Control (BAC) |
SULly | Plugin Reset (BAC) via Cross-Site Request Forgery (CSRF) |
Support SVG | Cross-Site Scripting (XSS) via SVG Upload (BAC) |
SVG Block | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Tainacan | Missing Authorization (BAC) to Arbitrary File Read |
The Post Grid | Broken Access Control (BAC) |
Titan Antispam & Security | Broken Access Control (BAC) |
Tutor LMS – Migration Tool | Missing Authorization (BAC) in tutor_lp_export_xml and tutor_import_from_xml |
Ultimate Addons for Elementor | Privilege Escalation (BAC) |
Ultimate Auction | Missing Authorization (BAC) to Unauthenticated Email Creation (BAC) |
User Activity Log Pro | Multiple Broken Access Control (BAC) |
Web and WooCommerce Addons for WPBakery Builder | Missing Authorization (BAC) to Plugin Settings Modification (BAC) |
Wholesale Suite | Broken Access Control (BAC) |
Woffice Core | Unauthenticated Broken Access Control (BAC) |
Woocommerce OpenPos | Unauthenticated Arbitrary File Deletion (BAC) |
WooCommerce Product Table Lite | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
WordPress Cliengo Chatbot plugin | Missing Authorization (BAC) to Authorized Chatbot Settings Update (BAC) |
WordPress Cliengo Chatbot plugin | Missing Authorization (BAC) to Unauthenticated Chatbot Settings Update (BAC) |
WordPress Form Builder Plugin – Gutenberg Forms | Unauthenticated Arbitrary File Upload (BAC) |
WordPress Happy SCSS Compiler Compile SCSS to CSS automatically plugin | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
WP Accessibility Helper (WAH) | Broken Access Control (BAC) |
WP Ajax Contact Form | Arbitrary Email Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
WP EasyPay | Missing Authorization (BAC) to Unauthenticated Service Disconnection |
WP eMember | Arbitrary File Upload (BAC) |
WP eStore | Coupon Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
WP Fast Total Search | Broken Access Control (BAC) |
WPForms User Registration | Privilege Escalation (BAC) |
WP GoToWebinar | Broken Access Control (BAC) |
WP Links Page | Missing Authorization (BAC) to Limited Image Update |
WP Meteor Page Speed Optimization Topping | Unauthenticated Full Path Disclosure (BAC) |
WP Mobile Menu | Missing Authorization (BAC) to _mobmenu_icon Post Meta Modification (BAC) |
WP Popups | Unauthenticated Full Path Disclosure (BAC) |
WP QuickLaTeX | Cross-Site Scripting (XSS) in Background Color field |
WP RSS Aggregator | Missing Authorization (BAC) to Feed State Update |
WPS Hide Login | Hidden Login Page Disclosure (BAC) |
WP User Switch | Privilege Escalation (BAC) |
XCloner Backup, Restore and Migrate | Unauthenticated Full Path Disclosure (BAC) |
XPlainer WooCommerce Product FAQ | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
XPlainer WooCommerce Product FAQ | Missing Authorization (BAC) to Settings Update (BAC) |
YITH Essential Kit for WooCommerce #1 | Missing Authorization (BAC) to Limited Plugin Install, Activation, and Deactivation |
Youzify | Broken Access Control (BAC) |
Zephyr Project Manager | Privilege Escalation (BAC) |
WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
WordPress BAC & WP Broken Access Control reported in 2024: | 1063 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of one cup of coffee for a managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.