WP BAC JUL 2024

WP BAC JUL 2024: Brutal 163 WP Broken Access Control

Sponsored by:

Discover managed ACQUISITION metrics for WordPress, WooCommerce, Shopify, SaaS. Managed for you on your domain, inside your hosting account, in your country. With a good managed monitoring strategy in place, you'll gain greater transparency & visibility into your operations with a timely alerting system.

Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUL 2024 is a +44% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.

Contact your online project manager:

Order managed services

Fast forward 2-3 years: your business is on autopilot, yet you are in control. Your 3rd party integrations still work, your partners and your customers are happy.

There hasn’t been a crisis or “online emergency” in ages, and all your reports are OK and green. Whimsical? The future is already here. Step into your future today.

WP BAC JUL 2024

As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:

Admin Notices Manager Missing Authorization (BAC) to User Email Retrieval
Advanced Contact form 7 DB Missing Authorization (BAC) to Unauthenticated Information Disclosure (BAC)
Advanced Custom Fields PRO Broken Access Control (BAC)
Advanced Custom Fields PRO Broken Access Control (BAC)
Album Gallery – WordPress Gallery Broken Access Control (BAC)
Ali2Woo Lite Arbitrary File Upload (BAC)
Ali2Woo Lite Broken Access Control (BAC)
Ali2Woo Lite Broken Access Control (BAC)
Ali2Woo Lite Broken Access Control (BAC) to Cross-Site Scripting (XSS)
Attire Blocks Missing Authorization (BAC)
Authorize.net Payment Gateway For WooCommerce Insufficient Verification of Data Authenticity to Unauthenticated Payment Bypass (BAC)
Auto Featured Image Arbitrary File Upload (BAC)
Awesome Support Broken Access Control (BAC)
Bookster Unauthenticated Appointment Status Update (BAC) (BAC)
Boostify Header Footer Builder for Elementor Missing Authorization (BAC) to Page/Post Creation (BAC)
Bosa Elementor Addons and Templates for WooCommerce Broken Access Control (BAC)
BuddyForms Email Verification Bypass (BAC) due to Insufficient Randomness
BuddyPress Cover Arbitrary File Upload (BAC)
CB (legacy) Code/Timeframe/Booking Deletion (BAC) via Cross-Site Request Forgery (CSRF)
CF7 Google Sheets Connector Missing Authorization (BAC) to Limited Site Configuration Update (BAC)
Checkout Field Editor for WooCommerce (Pro) Unauthenticated Arbitrary File Deletion (BAC)
Church Admin Broken Access Control (BAC)
Claudio Sanches Insufficient Verification of Data Authenticity to Order Payment Status Update (BAC) (BAC)
Clever Fox Missing Authorization (BAC) to arbitrary theme activation via clever-fox-activate-theme
Contact Form Builder, Contact Widget Bypass (BAC)
ContentLock Groups/Emails Deletion (BAC) via Cross-Site Request Forgery (CSRF)
ContentLock Settings Update (BAC) via Cross-Site Request Forgery (CSRF)
ConvertKit Broken Access Control (BAC)
Cookie Consent Broken Access Control (BAC)
Copymatic – AI Content Writer & Generator Broken Access Control (BAC)
Countdown & Clock Missing Authorization (BAC) to PHP Object Injection
Custom Font Uploader Missing Authorization (BAC) to Font Deletion (BAC)
Dashboard To-Do List Broken Access Control (BAC)
Database Cleaner Arbitrary File Read (BAC)
Debug Log Manager Broken Access Control (BAC)
Defender Security Broken Access Control (BAC)
Demo Awesome Broken Access Control (BAC)
e2pdf Broken Access Control (BAC)
Easy Affiliate Links Missing Authorization (BAC) to Settings Reset (BAC)
Easy Forms for Mailchimp Broken Access Control (BAC)
Easy Image Collage Missing Authorization (BAC) to Arbitrary Post Content Deletion (BAC)
Elements kit Elementor addons Unauthenticated Broken Access Control (BAC)
Essential Real Estate Insecure Direct Object Reference (IDOR) to Arbitrary Attachment Deletion (BAC)
Extra Product Options for WooCommerce Broken Access Control (BAC)
Featured Image from URL Broken Access Control (BAC)
File Manager Broken Access Control (BAC)
Five Star Restaurant Menu Missing Authorization (BAC) to Menu Creation (BAC)
Folders Pro Arbitrary File Upload (BAC) via handle_folders_file_upload
FooEvents for WooCommerce Arbitrary File Upload (BAC)
Frontend Registration – Contact Form 7 Privilege Escalation (BAC)
GDPR CCPA Compliance Support Missing Authorization (BAC) to Settings Update (BAC) and Cross-Site Scripting (XSS)
Hercules Core Arbitrary Settings Change/Access (BAC)
Hide Dashboard Notifications Missing Authorization (BAC) to Plugin Settings Modification (BAC)
Ibtana Broken Access Control (BAC)
Ibtana Unauthenticated Plugin Settings Update (BAC)
Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery Broken Access Control (BAC)
Infographic Maker – iList Arbitrary Title Update (BAC)
Insert Post Ads Broken Access Control (BAC)
InstaWP Connect Arbitrary File Upload (BAC)
InstaWP Connect Missing Authorization (BAC) to Unauthenticated API setup/Arbitrary Options Update (BAC) /Administrative User Creation (BAC)
Integrate Google Drive Broken Access Control (BAC)
Kadence Blocks Pro Arbitrary Option Access (BAC)
Kanban Boards for WordPress Broken Access Control (BAC)
LA-Studio Element Kit for Elementor Broken Access Control (BAC)
LatePoint Missing Authorization (BAC) and Private Information Exposure via IDOR
Laybuy Payment Extension for WooCommerce Broken Access Control (BAC)
LearnPress Private Information Disclosure (BAC) via JSON API
Leyka Broken Access Control (BAC)
Lifeline Donation Authentication Bypass (BAC)
Login/Signup Popup Missing Authorization (BAC) to Arbitrary Options Exposure (BAC)
Login/Signup Popup Missing Authorization (BAC) to Arbitrary Options Update (BAC)
Login with phone number Insecure Password Reset (BAC) Mechanism
Market Exporter Missing Authorization (BAC) to Arbitrary File Deletion (BAC)
Master Addons for Elementor Broken Access Control (BAC) on API
Master Addons for Elementor Missing Authorization (BAC) to MA Template Creation (BAC) or Modification (BAC)
Masterstudy Elementor Widgets Unauthenticated Broken Access Control (BAC)
MasterStudy LMS Broken Access Control (BAC)
Materialis Theme Missing Authorization (BAC) to Limited Arbitrary Options Update (BAC)
Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow Broken Access Control (BAC)
Minimal Coming Soon & Maintenance Mode – Coming Soon Page Missing Authorization (BAC) to Limited Settings Change
MJ Update (BAC) History Broken Access Control (BAC)
Muslim Prayer Time BD Settings Reset (BAC) via Cross-Site Request Forgery (CSRF)
Netgsm Broken Access Control (BAC)
Newsletter - API addon (Premium) Missing Authorization (BAC) to Email Subscribers Management
Newspack Blocks Arbitrary Directory Deletion (BAC)
Newspack Blocks Arbitrary File Upload (BAC)
Newspack Blocks Broken Access Control (BAC)
Optinly Broken Access Control (BAC)
Page Builder Sandwich – Front-End Page Builder Broken Access Control (BAC)
Paid Memberships Pro Cross-Site Request Forgery to Membership Modification (BAC)
Patreon WordPress Image Protection Bypass (BAC)
Pearl Missing Authorization (BAC) to Unauthenticated Arbitrary Site Options Deletion (BAC)
Pexels: Free Stock Photos Arbitrary File Upload (BAC)
Play.ht Broken Access Control (BAC)
Popup box Broken Access Control (BAC)
Popup Builder Missing Authorization (BAC) in Multiple AJAX Actions
Popup Builder Missing Authorization (BAC) and Nonce Exposure
ProfileGrid Missing Authorization (BAC)
Progress Planner Broken Access Control (BAC)
Promolayer Missing Authorization (BAC)
PropertyHive Broken Access Control (BAC)
QQWorld Auto Save Images Missing Authorization (BAC) to Arbitrary Post Content Retrieval
Radcliffe 2 Theme Broken Access Control (BAC)
Restrict for Elementor Protection Mechanism Bypass (BAC)
Robo Gallery Cross-Site Request Forgery to Post Creation (BAC)
Salon booking system Unauthenticated Arbitrary File Upload (BAC)
Salon booking system Arbitrary File Deletion (BAC)
Salon booking system Missing Authorization (BAC)
SC filechecker Arbitrary File Deletion (BAC)
Scheduling Plugin – Online Booking for WordPress Unauthenticated Plugin Settings Reset (BAC)
Sensei LMS Broken Access Control (BAC)
Sensei Pro (WC Paid Courses) Broken Access Control (BAC)
Simple COD Fees for WooCommerce Broken Access Control (BAC)
Sirv Arbitrary File Upload (BAC)
SiteGuard WP Plugin Login Page Disclosure (BAC)
Slider Responsive Slideshow – Image slider, Gallery slideshow Broken Access Control (BAC)
Smush Image Compression and Optimization Resmush List Deletion (BAC)
Social Link Pages Missing Authorization (BAC) to Arbitrary Page Creation (BAC) and Cross-Site Scripting (XSS)
Social Login Lite For WooCommerce Authentication Bypass (BAC)
Sparkle Demo Importer Post/Pages/Attachements Deletion (BAC) and Demo Data Import
Squeeze Arbitrary File Upload (BAC)
Startklar Elementor Addons Unauthenticated Path Traversal to Arbitrary Directory Deletion (BAC)
Strategery Migrations Arbitrary File Deletion (BAC)
Strong Testimonials Improper Authorization to Views Modification (BAC)
The Moneytizer Missing Authorization (BAC) via multiple AJAX actions
Tickera Broken Access Control (BAC)
Tickera Ticket Deletion (BAC)
Timetics Broken Access Control (BAC)
Timetics Missing Authorization (BAC) to Limited Privilege Escalation (BAC)
Tutor LMS Insecure Direct Object Reference (IDOR) to Arbitrary Quiz Attempt Deletion (BAC)
Uber Menu Cross-Site Request Forgery to Settings Reset (BAC)
Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter Broken Access Control (BAC) to Cross-Site Scripting (XSS)
Uncanny Automator Pro Cross-Site Request Forgery (CSRF) Leading to License Settings Reset (BAC)
Uncanny Automator Pro Unauthenticated License Settings Reset (BAC)
Under Construction / Maintenance Mode from Acurax IP Bypass (BAC)
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Broken Access Control (BAC)
Upload Fields for WPForms Broken Access Control (BAC)
Upunzipper Arbitrary File Deletion (BAC)
User Profile Picture Insecure Direct Object Reference (IDOR) to Profile Picture Update (BAC)
User Registration Missing Authorization (BAC) to Privilege Escalation (BAC)
User Rights Access Manager Broken Access Control (BAC)
Wheel of Life Missing Authorization (BAC) on Several AJAX Endpoints
WishList Member X Arbitrary File Deletion (BAC)
WishList Member X Privilege Escalation (BAC)
WooBuddy Broken Access Control (BAC)
Woocommerce Customers Order History Broken Access Control (BAC)
WooCommerce Social Login Email Verification Bypass (BAC)
WooCommerce Tools Missing Authorization (BAC) to Plugin Module Deactivation (BAC)
WP Child Theme Generator Unauthenticated Child Theme Creation (BAC) /Activation
WP Dark Mode Missing Authorization (BAC)
wpDataTables Missing Authorization (BAC) to DataTable Access & Modification (BAC)
WP-DB-Table-Editor Missing Authorization (BAC) to Database Access
WP EasyCart Broken Access Control (BAC)
WP Force SSL & HTTPS SSL Redirect Missing Authorization (BAC) to Settings Update (BAC)
WP Job Manager - Resume Manager Broken Access Control (BAC)
WP Maintenance IP Spoofing to Maintenance Mode Bypass (BAC)
WP-Recall Unauthenticated Payment Deletion (BAC) via delete_payment
WP Reset (BAC) Missing Authorization (BAC) to License Key Modification (BAC)
WPS Hide Login Login Page Disclosure (BAC)
WP Time Slots Booking Form Broken Access Control (BAC)
WP Translate Broken Access Control (BAC)
WPUpper Share Buttons Missing Authorization (BAC)
Zita Elementor Site Library Missing Authorization (BAC)
WordPress BAC & WP Broken Access Control reported in 2023: 931
WordPress BAC & WP Broken Access Control reported in 2024: 891
Contact your online project manager:

Get managed security

Fast forward 2-3 years: your business is on autopilot, yet you are in control. Your website is humming along, leads & customers are rolling in.

There hasn’t been a crisis or “website emergency” in ages, and all your charts are pointing up and to the right. Whimsical? The future is already here. Step into your future today.

Table Of Contents


A cup of coffee makes a difference ...

How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:

ultrai.ae managed online © 2023 - 2024 – All rights reserved
We’re on an empowering mission for customers, who desire not to be transformed forcefully into IT experts.
ultrai.ae

Sign up for our newsletter

We send just one email a month with technical updates.
Topics include: XSS, CSRF, SSRF, SQLi, BAC.

We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.