🔬 Conversion Rate Optimisation for your 🌐 WordPress & 🛒 WooCommerce: skyrocket sales with modern proven methods! The purpose of recurrent CRO services is to constantly improve the likelihood of visitors taking your desired action on your domain.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JAN 2025 is a +7% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| 3DPrint Lite | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| ACF City Selector | Arbitrary File Upload (BAC) |
| Active Products Tables for WooCommerce | Unauthenticated Arbitrary Shortcode Execution (BAC) from woot_get_smth |
| AdForest | Authentication Bypass (BAC) |
| Advanced File Manager | Arbitrary File Upload (BAC) |
| Advance Menu Manager | Settings Change (BAC) |
| Agency Toolkit | Privilege Escalation (BAC) |
| AI Magic | Privilege Escalation (BAC) |
| AIO Contact | Unauthenticated Plugin Settings Change (BAC) |
| AI Post Generator | AutoWriter | Missing Authorization (BAC) to Post/Page Deletion (BAC) |
| AI Quiz | Missing Authorization (BAC) to Arbitrary Options Update (BAC) |
| Analytify | Broken Access Control (BAC) |
| Arabic Webfonts | Broken Access Control (BAC) |
| Arena.IM – Live Blogging for real-time events | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
| ARForms | Arbitrary File Read (BAC) |
| ARForms | Plugin Settings Change (BAC) |
| AR For WordPress | Missing Authorization (BAC) to Unauthenticated Limited File Upload (BAC) |
| ARMember | Arbitrary Shortcode Execution (BAC) |
| Ashe Extra | Broken Access Control (BAC) |
| Authors List | Unauthenticated Arbitrary Shortcode Execution (BAC) from Update (BAC)_authors_list_ajax |
| Awesome Support | Broken Access Control (BAC) |
| AyeCode Connect | Broken Access Control (BAC) |
| Banner System | Broken Access Control (BAC) |
| Biagiotti Membership | Authentication Bypass (BAC) from biagiotti_membership_check_facebook_user |
| Bit Form – Contact Form Plugin | Missing Authorization (BAC) to Form Submission Private Data Disclosure |
| Bold Page Builder | Path Traversal (BAC) |
| Button Block | Post Private Data Disclosure from Post Duplication (BAC) |
| Caldera SMTP Mailer | Broken Access Control (BAC) |
| Car Dealer | Broken Access Control (BAC) |
| CE21 Suite | Privilege Escalation (BAC) |
| Church Admin | Broken Access Control (BAC) |
| CLUEVO LMS, E-Learning Platform | Cross-Site Request Forgery (CSRF) to Module Deletion (BAC) |
| CM Answers | Broken Access Control (BAC) |
| Computer Repair Shop | Account Takeover (BAC) |
| Computer Repair Shop | Missing Authorization (BAC) to Account Takeover (BAC) + Privilege Escalation (BAC) |
| Contact Form by WPForms | Missing Authorization (BAC) to Payment Refund and Subscription Cancellation |
| Contact Form, Survey & Form Builder – MightyForms | Broken Access Control (BAC) |
| CoSchool LMS | Account Takeover (BAC) |
| Cost Calculator Builder | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Coupon Affiliates | Unauthenticated Arbitrary Shortcode Execution (BAC) and Cross-Site Scripting (XSS) |
| Crafthemes Demo Import Theme | Arbitrary File Upload (BAC) in process_uploaded_files |
| Custom Skins Contact Form 7 | Missing Authorization (BAC) to Arbitrary Post Update (BAC) and Skin Creation |
| Database Backup | Arbitrary File Read (BAC) |
| Data Tables Generator by Supsystic | Broken Access Control (BAC) |
| DELUCKS SEO | Arbitrary File Download (BAC) |
| DN Shipping by Weight for WooCommerce | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Download Manager | Broken Access Control (BAC) |
| Download Manager | Improper Authorization (BAC) to Unauthenticated Download of Password Protected Files + Private Data |
| Download Manager | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Dreamfox Media Payment gateway per Product for Woocommerce | Broken Access Control (BAC) |
| Easy Blocks pro | Broken Access Control (BAC) |
| Easy Digital Downloads | Improper Authorization (BAC) to Paywall Bypass (BAC) |
| Easy Digital Downloads | Arbitrary File Download (BAC) |
| Easy Site Importer | Settings Change (BAC) |
| EditionGuard for WooCommerce – eBook Sales with DRM | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| eewee admin custom | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| Eleblog – Elementor Blog And Magazine Addons | Missing Authorization (BAC) to Deactivation Submission |
| Element Pack Elementor Addons | Missing Authorization (BAC) |
| ELEX WooCommerce Dynamic Pricing and Discounts | Missing Authorization (BAC) |
| Essential Real Estate | Missing Authorization (BAC) to Information Exposure |
| Event Tickets with Ticket Scanner | Missing Authorization (BAC) to Cross-Site Scripting (XSS) |
| Eyewear prescription form | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| Falcon – WordPress Optimizations & Tweaks | Broken Access Control (BAC) |
| Filebird | Broken Access Control (BAC) |
| File Manager Pro | Missing Authorization (BAC) to Filebird Plugin Installation (BAC) |
| Firebase OTP Authentication | Account Takeover (BAC) |
| Flash News / Post (Responsive) | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| Floating Action Buttons | Broken Access Control (BAC) |
| FloristPress | Broken Access Control (BAC) |
| FloristPress | Nonce Leakage to Broken Access Control (BAC) |
| FooGallery Premium | Directory Traversal (BAC) |
| Friends | Missing Authorization (BAC) |
| Gaga Lite Theme | Arbitrary Plugin Activation (BAC) and Deactivation (BAC) to Remote Code Execution (RCE) |
| gap-hub-user-role | Cross-Site Request Forgery (CSRF) to Broken Authentication (BAC) |
| GEO my WordPress | Broken Access Control (BAC) |
| GitSync | Cross-Site Request Forgery (CSRF) to Remote Code Execution (BAC) |
| Gold Addons for Elementor | Missing Authorization (BAC) to License Activation (BAC) and Deactivation (BAC) |
| Gou Manage My Account Menu | Broken Access Control (BAC) |
| Grid Plus | Unauthenticated Arbitrary Shortcode Execution (BAC) from grid_plus_load_by_category |
| Hash Form | Missing Authorization (BAC) to Form Style Creation |
| HQ Rental Software | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| If Menu | Missing Authorization (BAC) to License Key Update (BAC) |
| Import Export For WooCommerce | Arbitrary File Upload (BAC) |
| Insertify | Cross-Site Request Forgery (CSRF) to Remote Code Execution (BAC) |
| Job Board Manager | Broken Access Control (BAC) |
| KH Easy User Settings | Privilege Escalation (BAC) |
| kk Star Ratings | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Knowledge Base documentation & wiki plugin – BasePress | Missing Authorization (BAC) to Database Update (BAC) |
| Ksher | Broken Access Control (BAC) |
| Leader | Broken Access Control (BAC) |
| LifterLMS | Missing Authorization (BAC) to Arbitrary Post Deletion (BAC) |
| ListApp Mobile Manager | Account Takeover (BAC) |
| Login Page Styler | Missing Authorization (BAC) to Privilege Escalation (BAC) |
| Login With OTP | Authentication Bypass (BAC) from Weak OTP |
| Maintenance & Coming Soon Redirect Animation | Missing Authorization (BAC) to Settings Update (BAC) |
| MainWP Child | Missing Authorization (BAC) to Unauthenticated Privilege Escalation (BAC) |
| MarketKing | Missing Authorization (BAC) |
| Mark New Posts | Broken Access Control (BAC) |
| Maspik – Spam blacklist | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
| Member Directory and Contact Form | Broken Access Control (BAC) |
| Memberful | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Members | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Message Filter for Contact Form 7 | Broken Access Control (BAC) |
| Message Filter for Contact Form 7 | Missing Authorization (BAC) to Filter Updates (BAC)/Deletions |
| Minimum and Maximum Quantity for WooCommerce | Broken Access Control (BAC) |
| Minterpress | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| MP3 Audio Player for Music, Radio & Podcast by Sonaar | Broken Access Control (BAC) |
| MStore API | HTML File Upload (BAC) (Cross-Site Scripting (XSS)) |
| News Ticker for Elementor | Broken Access Control (BAC) |
| New User Approve | Broken Access Control (BAC) |
| Ninja Forms | Arbitrary Shortcode Execution (BAC) |
| Notibar | Arbitrary Shortcode Execution (BAC) from njt_nofi_text |
| Notibar | Broken Access Control (BAC) |
| OAuth Single Sign On – SSO (OAuth Client) | Authentication Bypass (BAC) |
| One Paze Theme | Arbitrary Plugin Activation (BAC) and Deactivation (BAC) to Remote Code Execution (RCE) |
| Opt-In Downloads | Arbitrary File Upload (BAC) |
| Order Delivery & Pickup Location Date Time | Settings Change (BAC) |
| Page Restriction WordPress (WP) | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Paid Member Subscriptions | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Pie Register (Add on) - Social Sites Login | Authentication Bypass (BAC) |
| Pie Register Premium | Arbitrary File Upload (BAC) |
| Pinpoint Booking System | Broken Access Control (BAC) |
| PixProof | Broken Access Control (BAC) |
| PlugVersions | Missing Authorization (BAC) to Arbitrary File Creation |
| Pojo Forms | Arbitrary Shortcode Execution (BAC) from form_preview_shortcode |
| Poll Maker | Cross-Site Request Forgery (CSRF) to Poll Duplication (BAC) |
| Popup Surveys & Polls for WordPress (Mare.io) | Settings Change (BAC) |
| Posti Shipping | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
| PPWP – WordPress Password Protect Page | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Premium Addons for Elementor | Broken Access Control (BAC) |
| Print Invoice & Delivery Notes for WooCommerce | Missing Authorization (BAC) to Logo Deletion (BAC) |
| Prodigy Commerce | Broken Access Control (BAC) |
| Projectopia | Account Takeover (BAC) |
| Pubnews Theme | Unauthenticated Arbitrary Plugin Installation (BAC) |
| Quietly Insights | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| RapidLoad Power-Up for Autoptimise | Missing Authorization (BAC) to Plugin Settings Modification (BAC) and SQL Injection (SQLi) |
| Restrict | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Revy | Unauthenticated Arbitrary File Upload (BAC) |
| Royal Elementor Addons | Broken Access Control (BAC) |
| SG Helper | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Sign In With Google | Authentication Bypass (BAC) in authenticate_user |
| Simple Dashboard | Privilege Escalation (BAC) |
| Simple Ecommerce Shopping Cart | Missing Authorization (BAC) to Settings Update (BAC) / Data Access |
| Simple Link Directory | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Simple Notification | Broken Access Control (BAC) |
| Simple Page Access Restriction | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Simple Restrict | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| Simple User Registration | Broken Access Control (BAC) on User Deletion (BAC) |
| Sinking Dropdowns | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| SiteOrigin Widgets Bundle | Broken Access Control (BAC) |
| Smart Shopify Product | Arbitrary Content Deletion (BAC) |
| SMS for Lead Capture Forms | Missing Authorization (BAC) to Arbitrary Message Deletion (BAC) |
| Sogrid | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| Spreadr Woocommerce | Arbitrary Content Deletion (BAC) |
| Spreadr Woocommerce | Broken Access Control (BAC) |
| SSL Wireless SMS Notification | Privilege Escalation (BAC) |
| SV100 Companion | Privilege Escalation (BAC) |
| SVG Shortcode | Cross-Site Scripting (XSS) from SVG Upload (BAC) |
| Sweet Date Theme | Privilege Escalation (BAC) |
| Termin-Kalender | Broken Access Control (BAC) |
| Timetics | Missing Authorization (BAC) to Arbitrary User Deletion (BAC) |
| TI WooCommerce Wishlist | Missing Authorization (BAC) to Unauthenticated Plugin Setup Wizard Access |
| Torod | Settings Change (BAC) |
| Traveler | Missing Authorization (BAC) in Several AJAX Actions |
| Tutor LMS Elementor Addons | Broken Access Control (BAC) |
| Userpro | Arbitrary User Meta Update (BAC) |
| User Role Editor | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| vBSSO-lite | Account Takeover (BAC) |
| VibeBP | Unauthenticated Privilege Escalation (BAC) |
| Video & Photo Gallery for Ultimate Member | Arbitrary File Upload (BAC) |
| Visualmodo Elements | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| VW Automobile Lite Theme | Broken Access Control (BAC) |
| Wayne Audio Player | Cross-Site Request Forgery (CSRF) to Privilege Escalation (BAC) |
| WC Price History for Omnibus | Missing Authorization (BAC) |
| WDesignkit | Arbitrary File Upload (BAC) |
| Widget Options | Broken Access Control (BAC) |
| Woffice Theme | Unauthenticated Account Takeover (BAC) |
| WooCommerce Basic Ordernumbers | Broken Access Control (BAC) |
| WooCommerce PDF Vouchers | Broken Authentication (BAC) |
| WooCommerce Point of Sale | Insecure Direct Object Reference (IDOR) to Privilege Escalation (BAC) from Arbitrary User Email Change (BAC) |
| WoodMart | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Wovax IDX | Account Takeover (BAC) |
| WP BASE Booking | Missing Authorization (BAC) to Private Data Information Exposure from app_export_db |
| WPBITS Addons For Elementor Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WPCargo Track & Trace | Settings Change (BAC) |
| WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | Missing Authorization (BAC) to Whitelist Script |
| WP-CRM System | Broken Access Control (BAC) |
| WP Crowdfunding | Missing Authorization (BAC) to WooCommerce Installation (BAC) |
| WPC Shop as a Customer for WooCommerce | Authentication Bypass (BAC) Due to Insufficiently Unique Key |
| WP Hide Security Enhancer | Missing Authorization (BAC) to Unauthenticated Arbitrary File Contents Deletion (BAC) |
| WPLMS | Arbitrary Directory Deletion (BAC) |
| WPLMS | Arbitrary File Upload (BAC) |
| WPLMS | Arbitrary File Upload (BAC) |
| WPLMS | Arbitrary File Upload (BAC) |
| WPLMS | Arbitrary File Deletion (BAC) |
| WPLMS | Arbitrary File Upload (BAC) |
| WPLMS | Unauthenticated Arbitrary Directory Deletion (BAC) |
| WPLMS | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| WPLMS | Unauthenticated Arbitrary File Upload (BAC) |
| WPLMS | Unauthenticated Privilege Escalation (BAC) |
| WP Mailster | Broken Access Control (BAC) |
| WP Mailster | Broken Access Control (BAC) |
| WPMasterToolKit | Arbitrary File Download (BAC) |
| WPMasterToolKit | Arbitrary File Upload (BAC) |
| WP Menu Image | Broken Access Control (BAC) |
| WPMobile.App | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Wp NssUser Register | Privilege Escalation (BAC) |
| WP Private Content Plus | Unauthenticated Content Restriction Bypass (BAC) to Private Data Information Exposure |
| WP SHAPES | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WPSSO Core | Broken Access Control (BAC) |
| WP SuperBackup | Multiple Broken Access Control (BAC) |
| WP SuperBackup | Unauthenticated Arbitrary File Upload (BAC) |
| WP SuperBackup | Unauthenticated Arbitrary File Upload (BAC) |
| WP SuperBackup | Unauthenticated Backup File Download (BAC) |
| WP Travel | Broken Access Control (BAC) |
| XML Multilanguage Sitemap Generator | Broken Access Control (BAC) |
| Youtube Video Grid | Cross-Site Request Forgery (CSRF) to Settings Change (BAC) |
| Zita Site Builder | Arbitrary Plugin Installation (BAC) and Activation (BAC) |
| 畅言评论系统 | Broken Access Control (BAC) |
| WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
| WordPress BAC & WP Broken Access Control reported in 2024: | 2024 |
| WordPress BAC & WP Broken Access Control reported in 2025: | 219 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.