🔬 Conversion Rate Optimisation for your 🌐 WordPress & 🛒 WooCommerce: skyrocket sales with modern proven methods! The purpose of recurrent CRO services is to constantly improve the likelihood of visitors taking your desired action on your domain.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC DEC 2024 is a -22% DECREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| AccessPress Staple Theme | Arbitrary Plugin Activation (BAC) and DeActivation (BAC) to Remote Code Execution (RCE) |
| Advanced Order Export For WooCommerce | Unauthenticated PHP Object Injection (BAC) |
| Advanced Personalization | PHP Object Injection (BAC) |
| Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One | Broken Access Control (BAC) |
| AI Quiz | Broken Access Control (BAC) |
| Airin Blog Theme | PHP Object Injection (BAC) |
| AJAX Random Posts | PHP Object Injection (BAC) |
| Alphabetical List | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Anonymous Restricted Content | Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure |
| AppPresser | Unauthenticated Privilege Escalation (BAC) from Password Reset |
| Aqua SVG Sprite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Audio Record | Arbitrary File Upload (BAC) |
| B-Banner Slider | Arbitrary File Upload (BAC) |
| Backup and Staging by WP Time Capsule | Unauthenticated Arbitrary File Upload (BAC) |
| Banner System | Privilege Escalation (BAC) |
| Bard Extra | Missing Authorization (BAC) to Demo Import |
| BasePress Migration Tools | Arbitrary File Upload (BAC) |
| Boat Rental Plugin for WordPress | Arbitrary File Upload (BAC) |
| Booking & Appointment Plugin for WooCommerce | Arbitrary Option Update (BAC) |
| Booking calendar, Appointment Booking System | Unauthenticated Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Buy one click WooCommerce | Missing Authorization (BAC) to Settings Export (BAC) |
| Buying Buddy IDX CRM | Cross-Site Request Forgery (CSRF) to PHP Object Injection (BAC) |
| CDI | Arbitrary File Upload (BAC) |
| CE21 Suite | Missing Authorization (BAC) to Unauthenticated Plugin Settings Change (BAC) |
| CF7 Reply Manager | Arbitrary File Upload (BAC) |
| Chatter | Broken Access Control (BAC) |
| Classified Listing | Arbitrary Option Update (BAC) |
| Clone | Unauthenticated PHP Object Injection (BAC) from 'recursive_unserialized_replace' |
| CM Table Of Contents – WordPress TOC Plugin | Settings Reset (BAC) from Cross-Site Request Forgery (CSRF) |
| Combo WP Rewrite Slugs | Settings Change (BAC) |
| Computer Repair Shop | Arbitrary File Upload (BAC) |
| Contact Form by WPForms | Cross-Site Request Forgery (CSRF) to Plugin's Log Deletion (BAC) |
| Contact Page With Google Map | Arbitrary File Deletion (BAC) |
| Contest Gallery | Unauthenticated Arbitrary Password Reset (BAC) to Privilege Escalation (BAC)and Account Takeover (BAC) |
| Convert Docx2post | Arbitrary File Upload (BAC) |
| CSV to html | Arbitrary File Upload (BAC) |
| Customer Reviews for WooCommerce | Missing Authorization (BAC) to Import Cancellation |
| CYAN Backup | Arbitrary File Download (BAC) |
| Datasets Manager by Arttia Creative | Arbitrary File Upload (BAC) |
| de:branding | Privilege Escalation (BAC) |
| Debug Tool | Unauthenticated Arbitrary File Creation (BAC) |
| Devexhub Gallery | Arbitrary File Upload (BAC) |
| DigiPass | Arbitrary File Download (BAC) |
| Do That Task | Arbitrary File Upload (BAC) |
| Drop Shadow Boxes | Arbitrary Shortcode Execution (BAC) |
| Easy Accordion Gutenberg Block | Broken Access Control (BAC) |
| Easy CSV Importer BETA | Arbitrary File Upload (BAC) |
| EleForms | Missing Authorization (BAC) |
| Elementor – Header, Footer & Blocks Template | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Elfsight Telegram Chat CC | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
| Essential Addons for Elementor | Private Information Exposure to Privilege Escalation (BAC) |
| Exclusive Content Password Protect | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
| External Database Based Actions | Authentication Bypass (BAC) |
| F4 Improvements | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Fediverse Embeds | Arbitrary File Upload (BAC) |
| File Manager Pro | Arbitrary File Upload (BAC) |
| Floating Buttons for WooCommerce | Broken Access Control (BAC) |
| FluentSMTP | Unauthenticated PHP Object Injection (BAC) |
| Forms | Arbitrary File Upload (BAC) |
| Gallerio | Arbitrary File Upload (BAC) |
| GamiPress | Unauthenticated Arbitrary Shortcode Execution (BAC) from gamipress_get_user_earnings |
| GEO my WordPress | Arbitrary File Upload (BAC) |
| Geolocator | PHP Object Injection (BAC) |
| Global Gateway e4 | Payeezy Gateway | | Arbitrary File Deletion (BAC) |
| GPX Viewer | Arbitrary File Creation (BAC) |
| Grid View Gallery | PHP Object Injection (BAC) |
| Grip Theme | Arbitrary Plugin Activation (BAC) and DeActivation (BAC) to Remote Code Execution (RCE) |
| Hacklog DownloadManager | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
| Hash Elements | Missing Authorization (BAC) to Unauthenticated Draft Post Title Exposure |
| HB AUDIO GALLERY | Arbitrary File Upload (BAC) |
| Heateor Social Login | Authentication Bypass (BAC) |
| Hide Links | Unauthenticated Shortcode Execution (BAC) |
| Hive Support – WordPress Help Desk | Arbitrary File Upload (BAC) |
| Hustle | Missing Authorization (BAC) to Unauthorized Form Submission |
| Hustle | Missing Authorization (BAC) to Unpublished Form Exposure |
| Image Alt Text | Missing Authorization (BAC) to Image Alt Text Update (BAC) |
| Image Classify | Arbitrary File Upload (BAC) |
| InPost Gallery | Arbitrary Shortcode Execution (BAC) from inpost_gallery_get_shortcode_template |
| Instant Image Generator | Arbitrary File Upload (BAC) |
| JetWidgets For Elementor | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Jobify - Job Board WordPress Theme | Broken Access Control (BAC) |
| Jobify - Job Board WordPress Theme | Unauthenticated Arbitrary File Read (BAC) |
| JobSearch | Arbitrary File Upload (BAC) |
| JobSearch | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| JobSearch | Unauthenticated Arbitrary File Upload (BAC) |
| KBucket | Arbitrary File Upload (BAC) |
| kineticPay for WooCommerce | Arbitrary File Upload (BAC) |
| Kognetiks Chatbot for WordPress | Missing Authorization (BAC) to Assistant Addition (BAC) |
| Kognetiks Chatbot for WordPress | Missing Authorization (BAC) to Assistant Deletion (BAC) |
| Kognetiks Chatbot for WordPress | Missing Authorization (BAC) to Assistant Update (BAC) |
| Kognetiks Chatbot for WordPress | Cross-Site Request Forgery (CSRF) to Assistant Modification (BAC) |
| Leopard - WordPress offload media | Missing Authorization (BAC) to Arbitrary Options Update (BAC) |
| Lis Video Gallery | PHP Object Injection (BAC) |
| Lock User Account | User Lock Bypass (BAC) |
| Loginizer | Authentication Bypass (BAC) |
| Loginizer Security | Authentication Bypass (BAC) |
| LSX Tour Operator | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Luna Web Radio Player | Unauthenticated Arbitrary File Read (BAC) |
| Matix Popup Builder | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| mFolio Lite | Missing Authorization (BAC) to File Upload (BAC) from EXE and SVG Files |
| MP3 Sticky Player | Unauthenticated Arbitrary File Read (BAC)and Download (BAC) |
| MPG | Directory Traversal to File Deletion (BAC) |
| MultiManager WP | Authentication Bypass (BAC) from User Impersonation |
| Music Player for Elementor – Audio Player & Podcast Player | Missing Authorization (BAC) to Template Import |
| My Contador lesr | Missing Authorization (BAC) to Unauthenticated User Registration (BAC) CSV Export (BAC) |
| My Geo Posts Free | PHP Object Injection (BAC) |
| NIX Anti-Spam Light | PHP Object Injection (BAC) |
| Opal Woo Custom Product Variation | Arbitrary File Deletion (BAC) |
| Otter - Gutenberg Block | Broken Access Control (BAC) |
| Otter - Gutenberg Block | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Otter - Gutenberg Block | Unauthenticated Path Traversal (BAC) to Arbitrary Image View |
| Paid Member Subscriptions | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Pathomation | Arbitrary File Upload (BAC) |
| Paytium | Broken Access Control (BAC) |
| Picsmize | Arbitrary File Upload (BAC) |
| Pie Register Premium | Broken Access Control (BAC) |
| Popup box | Missing Authorization (BAC) to UnauthenticatedOptions Update (BAC) |
| Post From Frontend | Post Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| PostX | Missing Authorization (BAC) to Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| Product Designer | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Product Input Fields for WooCommerce | Arbitrary File Read (BAC) |
| ProfileGrid | Missing Authorization (BAC) to Arbitrary User Meta Deletion (BAC) |
| ProfilePress | Unauthenticated Content Restriction Bypass (BAC) to Private Information Exposure |
| PublishPress Revisions | Missing Authorization (BAC) to Private Information Exposure |
| Push Notifications for WordPress by PushAssist | Arbitrary File Upload (BAC) |
| QRMenu Restaurant QR Menu Lite | PHP Object Injection (BAC) |
| Quick Learn | PHP Object Injection (BAC) |
| Rank Math SEO | Arbitrary htaccess Overwrite (BAC) to Remote Code Execution (RCE) |
| Really Simple Security Pro | Account Takeover (BAC) |
| Really Simple Security Pro multisite | Account Takeover (BAC) |
| Really Simple SSL | Account Takeover (BAC) |
| Referrer Detector | PHP Object Injection (BAC) |
| RegistrationMagic | Unauthenticated Privilege Escalation (BAC) from Password Recovery |
| Relais 2FA | Authentication Bypass (BAC) |
| Request a Quote for WooCommerce and Elementor | Unauthenticated Arbitrary Shortcode Execution (BAC) from fire_contact_form |
| Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation | Arbitrary File Upload (BAC) |
| School Management | Unauthenticated Arbitrary File Upload (BAC) |
| Security & Malware scan by CleanTalk | Authorization Bypass (BAC) from Reverse DNS Spoofing to Unauthenticated SQL Injection (SQLi) |
| Simple Local Avatars | Missing Authorization (BAC) to User Cache Clearing |
| Sirv | Missing Authorization (BAC) to Arbitrary Option Deletion (BAC) |
| SK WP Settings Backup | Cross-Site Request Forgery (CSRF) to PHP Object Injection (BAC) |
| Sky Addons for Elementor | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| Sky Addons for Elementor | Missing Authorization (BAC) to Arbitrary Options Update (BAC) |
| Smart Marketing SMS and Newsletters Forms | Broken Access Control (BAC) |
| Social Login | Authentication Bypass (BAC) |
| Spam protection, AntiSpam, FireWall by CleanTalk | Authorization Bypass (BAC) from Reverse DNS Spoofing |
| Spam protection, AntiSpam, FireWall by CleanTalk | Authorization Bypass (BAC) |
| Styler for Ninja Forms | Arbitrary Option Deletion (BAC) from deactivate_license |
| Super Socializer | Authentication Bypass (BAC) |
| Support SVG | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| SVG Block | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| System Dashboard | Path Traversal (BAC) |
| Team Rosters | PHP Object Injection (BAC) |
| Th Shop Mania Theme | Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| The Novel Design Store Directory | Arbitrary File Upload (BAC) |
| Tickera | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Top Store Theme | Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| Tumult Hype Animations | Missing Authorization (BAC) |
| Tumult Hype Animations | Arbitrary File Upload (BAC) from hypeanimations_panel Function |
| Tutor LMS | User Registration (BAC) Setting Bypass (BAC) to Unauthorized User Registration (BAC) |
| Uix Slideshow | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Ultimate Member | Missing Authorization (BAC) to Arbitrary User Profile Picture Update (BAC) |
| Ultimate YouTube Video & Shorts Player With Vimeo | Missing Authorization (BAC) to Arbitrary Playlist and Video Deletion (BAC) |
| Ultimate YouTube Video & Shorts Player With Vimeo | Missing Authorization (BAC) to Setting Exposure |
| User Extra Fields | Unauthenticated Arbitrary File Upload (BAC) |
| User Extra Fields | Missing Authorization (BAC) to Privilege Escalation (BAC) |
| User Extra Fields | Unauthenticated Arbitrary File Deletion (BAC) |
| User Management | Arbitrary File Upload (BAC) |
| UserPlus | Privilege Escalation (BAC) |
| Video Gallery for WooCommerce | Missing Authorization (BAC) to UnauthenticatedFile Deletion (BAC) |
| Wawp | Account Takeover (BAC) |
| WDES Responsive Mobile Menu | PHP Object Injection (BAC) |
| WOLF | CSV Path Traversal (BAC) |
| WooCommerce Product Table Lite | Unauthenticated Arbitrary Shortcode Execution (BAC) & Cross-Site Scripting (XSS) |
| WooCommerce Report | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| WooCommerce Social Login | Authentication Bypass (BAC) |
| WooCommerce Support Ticket System | Unauthenticated Arbitrary File Deletion (BAC) |
| WooCommerce Support Ticket System | Unauthenticated Arbitrary File Upload (BAC) |
| WooCommerce Upload Files | Unauthenticated Arbitrary File Upload (BAC) |
| WOOCS – WooCommerce Currency Switcher | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| WordPress GDPR & CCPA | Missing Authorization (BAC) to Unauthenticated Arbitrary User Deletion (BAC) |
| WordPress Video Robot - The Ultimate Video Importer | Privilege Escalation (BAC) from User Meta Update (BAC) |
| WP Chat App | Missing Authorization (BAC) to Filebird Plugin Installation (BAC) |
| WP Log Viewer | Missing Authorization (BAC) |
| WP Membership | Unauthenticated Arbitrary File Upload (BAC) |
| WP Photo Album Plus | Unauthenticated Arbitrary Shortcode Execution (BAC) from getshortcodedrenderedfenodelay |
| WP Project Manager | Insecure Direct Object Reference (IDOR) to Unauthenticated Authorization Bypass (BAC) |
| WP Project Manager | Missing Authorization (BAC) to Project Milestone and Task Creation (BAC)and Deletion |
| WP Quick Setup | Arbitrary Plugin and Theme Installation (BAC) to Remote Code Execution (RCE) |
| WP Travel Engine | Missing Authorization (BAC) to Plugin Settings Update (BAC) |
| WP User Manager | Missing Authorization (BAC) to User Meta Key Enumeration |
| WP User Manager | Missing Authorization (BAC) to Carbon Fields Custom Sidebar Addition (BAC)and Removal |
| WP-Orphanage Extended | Cross-Site Request Forgery (CSRF) to Orphan Account Privilege Escalation (BAC) |
| WPB Popup for Contact Form 7 | Unauthenticated Arbitrary Shortcode Execution (BAC) from wpb_pcf_fire_contact_form |
| WPDash Notes | Missing Authorization (BAC) to Private Information Exposure |
| WPGYM | Missing Authorization (BAC) to Privilege Escalation (BAC) |
| WPGYM | Unauthenticated Arbitrary File Upload (BAC) |
| WPLMS Theme | Unauthenticated Arbitrary File Read (BAC) and Deletion (BAC) |
| WPvivid Backup and Migration | Unauthenticated PHP Object Injection (BAC) |
| Writer Helper | Arbitrary File Upload (BAC) |
| Xin Theme | PHP Object Injection (BAC) |
| Xpresslane Fast Checkout | PHP Object Injection (BAC) |
| XT Floating Cart for WooCommerce | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Yaad Sarig Payment Gateway For WC | Missing Authorization (BAC) to Log Read (BAC)and Deletion |
| Zotpress | Missing Authorization (BAC) |
| WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
| WordPress BAC & WP Broken Access Control reported in 2024: | 1805 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.