Discover managed ACQUISITION metrics for WordPress, WooCommerce, Shopify, SaaS. Managed for you on your domain, inside your hosting account, in your country. With a good managed monitoring strategy in place, you'll gain greater transparency & visibility into your operations with a timely alerting system.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC DEC 2024 is a -22% DECREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| AccessPress Staple Theme | Arbitrary Plugin Activation (BAC) and DeActivation (BAC) to Remote Code Execution (RCE) |
| Advanced Order Export For WooCommerce | Unauthenticated PHP Object Injection (BAC) |
| Advanced Personalization | PHP Object Injection (BAC) |
| Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One | Broken Access Control (BAC) |
| AI Quiz | Broken Access Control (BAC) |
| Airin Blog Theme | PHP Object Injection (BAC) |
| AJAX Random Posts | PHP Object Injection (BAC) |
| Alphabetical List | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Anonymous Restricted Content | Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure |
| AppPresser | Unauthenticated Privilege Escalation (BAC) from Password Reset |
| Aqua SVG Sprite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Audio Record | Arbitrary File Upload (BAC) |
| B-Banner Slider | Arbitrary File Upload (BAC) |
| Backup and Staging by WP Time Capsule | Unauthenticated Arbitrary File Upload (BAC) |
| Banner System | Privilege Escalation (BAC) |
| Bard Extra | Missing Authorization (BAC) to Demo Import |
| BasePress Migration Tools | Arbitrary File Upload (BAC) |
| Boat Rental Plugin for WordPress | Arbitrary File Upload (BAC) |
| Booking & Appointment Plugin for WooCommerce | Arbitrary Option Update (BAC) |
| Booking calendar, Appointment Booking System | Unauthenticated Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Buy one click WooCommerce | Missing Authorization (BAC) to Settings Export (BAC) |
| Buying Buddy IDX CRM | Cross-Site Request Forgery (CSRF) to PHP Object Injection (BAC) |
| CDI | Arbitrary File Upload (BAC) |
| CE21 Suite | Missing Authorization (BAC) to Unauthenticated Plugin Settings Change (BAC) |
| CF7 Reply Manager | Arbitrary File Upload (BAC) |
| Chatter | Broken Access Control (BAC) |
| Classified Listing | Arbitrary Option Update (BAC) |
| Clone | Unauthenticated PHP Object Injection (BAC) from 'recursive_unserialized_replace' |
| CM Table Of Contents – WordPress TOC Plugin | Settings Reset (BAC) from Cross-Site Request Forgery (CSRF) |
| Combo WP Rewrite Slugs | Settings Change (BAC) |
| Computer Repair Shop | Arbitrary File Upload (BAC) |
| Contact Form by WPForms | Cross-Site Request Forgery (CSRF) to Plugin's Log Deletion (BAC) |
| Contact Page With Google Map | Arbitrary File Deletion (BAC) |
| Contest Gallery | Unauthenticated Arbitrary Password Reset (BAC) to Privilege Escalation (BAC)and Account Takeover (BAC) |
| Convert Docx2post | Arbitrary File Upload (BAC) |
| CSV to html | Arbitrary File Upload (BAC) |
| Customer Reviews for WooCommerce | Missing Authorization (BAC) to Import Cancellation |
| CYAN Backup | Arbitrary File Download (BAC) |
| Datasets Manager by Arttia Creative | Arbitrary File Upload (BAC) |
| de:branding | Privilege Escalation (BAC) |
| Debug Tool | Unauthenticated Arbitrary File Creation (BAC) |
| Devexhub Gallery | Arbitrary File Upload (BAC) |
| DigiPass | Arbitrary File Download (BAC) |
| Do That Task | Arbitrary File Upload (BAC) |
| Drop Shadow Boxes | Arbitrary Shortcode Execution (BAC) |
| Easy Accordion Gutenberg Block | Broken Access Control (BAC) |
| Easy CSV Importer BETA | Arbitrary File Upload (BAC) |
| EleForms | Missing Authorization (BAC) |
| Elementor – Header, Footer & Blocks Template | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Elfsight Telegram Chat CC | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
| Essential Addons for Elementor | Private Information Exposure to Privilege Escalation (BAC) |
| Exclusive Content Password Protect | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
| External Database Based Actions | Authentication Bypass (BAC) |
| F4 Improvements | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Fediverse Embeds | Arbitrary File Upload (BAC) |
| File Manager Pro | Arbitrary File Upload (BAC) |
| Floating Buttons for WooCommerce | Broken Access Control (BAC) |
| FluentSMTP | Unauthenticated PHP Object Injection (BAC) |
| Forms | Arbitrary File Upload (BAC) |
| Gallerio | Arbitrary File Upload (BAC) |
| GamiPress | Unauthenticated Arbitrary Shortcode Execution (BAC) from gamipress_get_user_earnings |
| GEO my WordPress | Arbitrary File Upload (BAC) |
| Geolocator | PHP Object Injection (BAC) |
| Global Gateway e4 | Payeezy Gateway | | Arbitrary File Deletion (BAC) |
| GPX Viewer | Arbitrary File Creation (BAC) |
| Grid View Gallery | PHP Object Injection (BAC) |
| Grip Theme | Arbitrary Plugin Activation (BAC) and DeActivation (BAC) to Remote Code Execution (RCE) |
| Hacklog DownloadManager | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
| Hash Elements | Missing Authorization (BAC) to Unauthenticated Draft Post Title Exposure |
| HB AUDIO GALLERY | Arbitrary File Upload (BAC) |
| Heateor Social Login | Authentication Bypass (BAC) |
| Hide Links | Unauthenticated Shortcode Execution (BAC) |
| Hive Support – WordPress Help Desk | Arbitrary File Upload (BAC) |
| Hustle | Missing Authorization (BAC) to Unauthorized Form Submission |
| Hustle | Missing Authorization (BAC) to Unpublished Form Exposure |
| Image Alt Text | Missing Authorization (BAC) to Image Alt Text Update (BAC) |
| Image Classify | Arbitrary File Upload (BAC) |
| InPost Gallery | Arbitrary Shortcode Execution (BAC) from inpost_gallery_get_shortcode_template |
| Instant Image Generator | Arbitrary File Upload (BAC) |
| JetWidgets For Elementor | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Jobify - Job Board WordPress Theme | Broken Access Control (BAC) |
| Jobify - Job Board WordPress Theme | Unauthenticated Arbitrary File Read (BAC) |
| JobSearch | Arbitrary File Upload (BAC) |
| JobSearch | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| JobSearch | Unauthenticated Arbitrary File Upload (BAC) |
| KBucket | Arbitrary File Upload (BAC) |
| kineticPay for WooCommerce | Arbitrary File Upload (BAC) |
| Kognetiks Chatbot for WordPress | Missing Authorization (BAC) to Assistant Addition (BAC) |
| Kognetiks Chatbot for WordPress | Missing Authorization (BAC) to Assistant Deletion (BAC) |
| Kognetiks Chatbot for WordPress | Missing Authorization (BAC) to Assistant Update (BAC) |
| Kognetiks Chatbot for WordPress | Cross-Site Request Forgery (CSRF) to Assistant Modification (BAC) |
| Leopard - WordPress offload media | Missing Authorization (BAC) to Arbitrary Options Update (BAC) |
| Lis Video Gallery | PHP Object Injection (BAC) |
| Lock User Account | User Lock Bypass (BAC) |
| Loginizer | Authentication Bypass (BAC) |
| Loginizer Security | Authentication Bypass (BAC) |
| LSX Tour Operator | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Luna Web Radio Player | Unauthenticated Arbitrary File Read (BAC) |
| Matix Popup Builder | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| mFolio Lite | Missing Authorization (BAC) to File Upload (BAC) from EXE and SVG Files |
| MP3 Sticky Player | Unauthenticated Arbitrary File Read (BAC)and Download (BAC) |
| MPG | Directory Traversal to File Deletion (BAC) |
| MultiManager WP | Authentication Bypass (BAC) from User Impersonation |
| Music Player for Elementor – Audio Player & Podcast Player | Missing Authorization (BAC) to Template Import |
| My Contador lesr | Missing Authorization (BAC) to Unauthenticated User Registration (BAC) CSV Export (BAC) |
| My Geo Posts Free | PHP Object Injection (BAC) |
| NIX Anti-Spam Light | PHP Object Injection (BAC) |
| Opal Woo Custom Product Variation | Arbitrary File Deletion (BAC) |
| Otter - Gutenberg Block | Broken Access Control (BAC) |
| Otter - Gutenberg Block | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Otter - Gutenberg Block | Unauthenticated Path Traversal (BAC) to Arbitrary Image View |
| Paid Member Subscriptions | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Pathomation | Arbitrary File Upload (BAC) |
| Paytium | Broken Access Control (BAC) |
| Picsmize | Arbitrary File Upload (BAC) |
| Pie Register Premium | Broken Access Control (BAC) |
| Popup box | Missing Authorization (BAC) to UnauthenticatedOptions Update (BAC) |
| Post From Frontend | Post Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| PostX | Missing Authorization (BAC) to Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| Product Designer | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Product Input Fields for WooCommerce | Arbitrary File Read (BAC) |
| ProfileGrid | Missing Authorization (BAC) to Arbitrary User Meta Deletion (BAC) |
| ProfilePress | Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure |
| PublishPress Revisions | Missing Authorization (BAC) to Private Information Exposure |
| Push Notifications for WordPress by PushAssist | Arbitrary File Upload (BAC) |
| QRMenu Restaurant QR Menu Lite | PHP Object Injection (BAC) |
| Quick Learn | PHP Object Injection (BAC) |
| Rank Math SEO | Arbitrary htaccess Overwrite (BAC) to Remote Code Execution (RCE) |
| Really Simple Security Pro | Account Takeover (BAC) |
| Really Simple Security Pro multisite | Account Takeover (BAC) |
| Really Simple SSL | Account Takeover (BAC) |
| Referrer Detector | PHP Object Injection (BAC) |
| RegistrationMagic | Unauthenticated Privilege Escalation (BAC) from Password Recovery |
| Relais 2FA | Authentication Bypass (BAC) |
| Request a Quote for WooCommerce and Elementor | Unauthenticated Arbitrary Shortcode Execution (BAC) from fire_contact_form |
| Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation | Arbitrary File Upload (BAC) |
| School Management | Unauthenticated Arbitrary File Upload (BAC) |
| Security & Malware scan by CleanTalk | Authorization Bypass (BAC) from Reverse DNS Spoofing to Unauthenticated SQL Injection (SQLi) |
| Simple Local Avatars | Missing Authorization (BAC) to User Cache Clearing |
| Sirv | Missing Authorization (BAC) to Arbitrary Option Deletion (BAC) |
| SK WP Settings Backup | Cross-Site Request Forgery (CSRF) to PHP Object Injection (BAC) |
| Sky Addons for Elementor | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| Sky Addons for Elementor | Missing Authorization (BAC) to Arbitrary Options Update (BAC) |
| Smart Marketing SMS and Newsletters Forms | Broken Access Control (BAC) |
| Social Login | Authentication Bypass (BAC) |
| Spam protection, AntiSpam, FireWall by CleanTalk | Authorization Bypass (BAC) from Reverse DNS Spoofing |
| Spam protection, AntiSpam, FireWall by CleanTalk | Authorization Bypass (BAC) |
| Styler for Ninja Forms | Arbitrary Option Deletion (BAC) from deactivate_license |
| Super Socializer | Authentication Bypass (BAC) |
| Support SVG | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| SVG Block | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| System Dashboard | Path Traversal (BAC) |
| Team Rosters | PHP Object Injection (BAC) |
| Th Shop Mania Theme | Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| The Novel Design Store Directory | Arbitrary File Upload (BAC) |
| Tickera | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Top Store Theme | Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| Tumult Hype Animations | Missing Authorization (BAC) |
| Tumult Hype Animations | Arbitrary File Upload (BAC) from hypeanimations_panel Function |
| Tutor LMS | User Registration (BAC) Setting Bypass (BAC) to Unauthorized User Registration (BAC) |
| Uix Slideshow | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Ultimate Member | Missing Authorization (BAC) to Arbitrary User Profile Picture Update (BAC) |
| Ultimate YouTube Video & Shorts Player With Vimeo | Missing Authorization (BAC) to Arbitrary Playlist and Video Deletion (BAC) |
| Ultimate YouTube Video & Shorts Player With Vimeo | Missing Authorization (BAC) to Setting Exposure |
| User Extra Fields | Unauthenticated Arbitrary File Upload (BAC) |
| User Extra Fields | Missing Authorization (BAC) to Privilege Escalation (BAC) |
| User Extra Fields | Unauthenticated Arbitrary File Deletion (BAC) |
| User Management | Arbitrary File Upload (BAC) |
| UserPlus | Privilege Escalation (BAC) |
| Video Gallery for WooCommerce | Missing Authorization (BAC) to UnauthenticatedFile Deletion (BAC) |
| Wawp | Account Takeover (BAC) |
| WDES Responsive Mobile Menu | PHP Object Injection (BAC) |
| WOLF | CSV Path Traversal (BAC) |
| WooCommerce Product Table Lite | Unauthenticated Arbitrary Shortcode Execution (BAC) & Cross-Site Scripting (XSS) |
| WooCommerce Report | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| WooCommerce Social Login | Authentication Bypass (BAC) |
| WooCommerce Support Ticket System | Unauthenticated Arbitrary File Deletion (BAC) |
| WooCommerce Support Ticket System | Unauthenticated Arbitrary File Upload (BAC) |
| WooCommerce Upload Files | Unauthenticated Arbitrary File Upload (BAC) |
| WOOCS – WooCommerce Currency Switcher | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| WordPress GDPR & CCPA | Missing Authorization (BAC) to Unauthenticated Arbitrary User Deletion (BAC) |
| WordPress Video Robot - The Ultimate Video Importer | Privilege Escalation (BAC) from User Meta Update (BAC) |
| WP Chat App | Missing Authorization (BAC) to Filebird Plugin Installation (BAC) |
| WP Log Viewer | Missing Authorization (BAC) |
| WP Membership | Unauthenticated Arbitrary File Upload (BAC) |
| WP Photo Album Plus | Unauthenticated Arbitrary Shortcode Execution (BAC) from getshortcodedrenderedfenodelay |
| WP Project Manager | Insecure Direct Object Reference (IDOR) to Unauthenticated Authorization Bypass (BAC) |
| WP Project Manager | Missing Authorization (BAC) to Project Milestone and Task Creation (BAC)and Deletion |
| WP Quick Setup | Arbitrary Plugin and Theme Installation (BAC) to Remote Code Execution (RCE) |
| WP Travel Engine | Missing Authorization (BAC) to Plugin Settings Update (BAC) |
| WP User Manager | Missing Authorization (BAC) to User Meta Key Enumeration |
| WP User Manager | Missing Authorization (BAC) to Carbon Fields Custom Sidebar Addition (BAC)and Removal |
| WP-Orphanage Extended | Cross-Site Request Forgery (CSRF) to Orphan Account Privilege Escalation (BAC) |
| WPB Popup for Contact Form 7 | Unauthenticated Arbitrary Shortcode Execution (BAC) from wpb_pcf_fire_contact_form |
| WPDash Notes | Missing Authorization (BAC) to Private Information Exposure |
| WPGYM | Missing Authorization (BAC) to Privilege Escalation (BAC) |
| WPGYM | Unauthenticated Arbitrary File Upload (BAC) |
| WPLMS Theme | Unauthenticated Arbitrary File Read (BAC) and Deletion (BAC) |
| WPvivid Backup and Migration | Unauthenticated PHP Object Injection (BAC) |
| Writer Helper | Arbitrary File Upload (BAC) |
| Xin Theme | PHP Object Injection (BAC) |
| Xpresslane Fast Checkout | PHP Object Injection (BAC) |
| XT Floating Cart for WooCommerce | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Yaad Sarig Payment Gateway For WC | Missing Authorization (BAC) to Log Read (BAC)and Deletion |
| Zotpress | Missing Authorization (BAC) |
| WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
| WordPress BAC & WP Broken Access Control reported in 2024: | 1805 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.