Discover managed ACQUISITION metrics for WordPress, WooCommerce, Shopify, SaaS. Managed for you on your domain, inside your hosting account, in your country. With a good managed monitoring strategy in place, you'll gain greater transparency & visibility into your operations with a timely alerting system.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUL 2024 is a +44% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
Admin Notices Manager | Missing Authorization (BAC) to User Email Retrieval |
Advanced Contact form 7 DB | Missing Authorization (BAC) to Unauthenticated Information Disclosure (BAC) |
Advanced Custom Fields PRO | Broken Access Control (BAC) |
Advanced Custom Fields PRO | Broken Access Control (BAC) |
Album Gallery – WordPress Gallery | Broken Access Control (BAC) |
Ali2Woo Lite | Arbitrary File Upload (BAC) |
Ali2Woo Lite | Broken Access Control (BAC) |
Ali2Woo Lite | Broken Access Control (BAC) |
Ali2Woo Lite | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
Attire Blocks | Missing Authorization (BAC) |
Authorize.net Payment Gateway For WooCommerce | Insufficient Verification of Data Authenticity to Unauthenticated Payment Bypass (BAC) |
Auto Featured Image | Arbitrary File Upload (BAC) |
Awesome Support | Broken Access Control (BAC) |
Bookster | Unauthenticated Appointment Status Update (BAC) (BAC) |
Boostify Header Footer Builder for Elementor | Missing Authorization (BAC) to Page/Post Creation (BAC) |
Bosa Elementor Addons and Templates for WooCommerce | Broken Access Control (BAC) |
BuddyForms | Email Verification Bypass (BAC) due to Insufficient Randomness |
BuddyPress Cover | Arbitrary File Upload (BAC) |
CB (legacy) | Code/Timeframe/Booking Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
CF7 Google Sheets Connector | Missing Authorization (BAC) to Limited Site Configuration Update (BAC) |
Checkout Field Editor for WooCommerce (Pro) | Unauthenticated Arbitrary File Deletion (BAC) |
Church Admin | Broken Access Control (BAC) |
Claudio Sanches | Insufficient Verification of Data Authenticity to Order Payment Status Update (BAC) (BAC) |
Clever Fox | Missing Authorization (BAC) to arbitrary theme activation via clever-fox-activate-theme |
Contact Form Builder, Contact Widget | Bypass (BAC) |
ContentLock | Groups/Emails Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
ContentLock | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
ConvertKit | Broken Access Control (BAC) |
Cookie Consent | Broken Access Control (BAC) |
Copymatic – AI Content Writer & Generator | Broken Access Control (BAC) |
Countdown & Clock | Missing Authorization (BAC) to PHP Object Injection |
Custom Font Uploader | Missing Authorization (BAC) to Font Deletion (BAC) |
Dashboard To-Do List | Broken Access Control (BAC) |
Database Cleaner | Arbitrary File Read (BAC) |
Debug Log Manager | Broken Access Control (BAC) |
Defender Security | Broken Access Control (BAC) |
Demo Awesome | Broken Access Control (BAC) |
e2pdf | Broken Access Control (BAC) |
Easy Affiliate Links | Missing Authorization (BAC) to Settings Reset (BAC) |
Easy Forms for Mailchimp | Broken Access Control (BAC) |
Easy Image Collage | Missing Authorization (BAC) to Arbitrary Post Content Deletion (BAC) |
Elements kit Elementor addons | Unauthenticated Broken Access Control (BAC) |
Essential Real Estate | Insecure Direct Object Reference (IDOR) to Arbitrary Attachment Deletion (BAC) |
Extra Product Options for WooCommerce | Broken Access Control (BAC) |
Featured Image from URL | Broken Access Control (BAC) |
File Manager | Broken Access Control (BAC) |
Five Star Restaurant Menu | Missing Authorization (BAC) to Menu Creation (BAC) |
Folders Pro | Arbitrary File Upload (BAC) via handle_folders_file_upload |
FooEvents for WooCommerce | Arbitrary File Upload (BAC) |
Frontend Registration – Contact Form 7 | Privilege Escalation (BAC) |
GDPR CCPA Compliance Support | Missing Authorization (BAC) to Settings Update (BAC) and Cross-Site Scripting (XSS) |
Hercules Core | Arbitrary Settings Change/Access (BAC) |
Hide Dashboard Notifications | Missing Authorization (BAC) to Plugin Settings Modification (BAC) |
Ibtana | Broken Access Control (BAC) |
Ibtana | Unauthenticated Plugin Settings Update (BAC) |
Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery | Broken Access Control (BAC) |
Infographic Maker – iList | Arbitrary Title Update (BAC) |
Insert Post Ads | Broken Access Control (BAC) |
InstaWP Connect | Arbitrary File Upload (BAC) |
InstaWP Connect | Missing Authorization (BAC) to Unauthenticated API setup/Arbitrary Options Update (BAC) /Administrative User Creation (BAC) |
Integrate Google Drive | Broken Access Control (BAC) |
Kadence Blocks Pro | Arbitrary Option Access (BAC) |
Kanban Boards for WordPress | Broken Access Control (BAC) |
LA-Studio Element Kit for Elementor | Broken Access Control (BAC) |
LatePoint | Missing Authorization (BAC) and Private Information Exposure via IDOR |
Laybuy Payment Extension for WooCommerce | Broken Access Control (BAC) |
LearnPress | Private Information Disclosure (BAC) via JSON API |
Leyka | Broken Access Control (BAC) |
Lifeline Donation | Authentication Bypass (BAC) |
Login/Signup Popup | Missing Authorization (BAC) to Arbitrary Options Exposure (BAC) |
Login/Signup Popup | Missing Authorization (BAC) to Arbitrary Options Update (BAC) |
Login with phone number | Insecure Password Reset (BAC) Mechanism |
Market Exporter | Missing Authorization (BAC) to Arbitrary File Deletion (BAC) |
Master Addons for Elementor | Broken Access Control (BAC) on API |
Master Addons for Elementor | Missing Authorization (BAC) to MA Template Creation (BAC) or Modification (BAC) |
Masterstudy Elementor Widgets | Unauthenticated Broken Access Control (BAC) |
MasterStudy LMS | Broken Access Control (BAC) |
Materialis Theme | Missing Authorization (BAC) to Limited Arbitrary Options Update (BAC) |
Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow | Broken Access Control (BAC) |
Minimal Coming Soon & Maintenance Mode – Coming Soon Page | Missing Authorization (BAC) to Limited Settings Change |
MJ Update (BAC) History | Broken Access Control (BAC) |
Muslim Prayer Time BD | Settings Reset (BAC) via Cross-Site Request Forgery (CSRF) |
Netgsm | Broken Access Control (BAC) |
Newsletter - API addon (Premium) | Missing Authorization (BAC) to Email Subscribers Management |
Newspack Blocks | Arbitrary Directory Deletion (BAC) |
Newspack Blocks | Arbitrary File Upload (BAC) |
Newspack Blocks | Broken Access Control (BAC) |
Optinly | Broken Access Control (BAC) |
Page Builder Sandwich – Front-End Page Builder | Broken Access Control (BAC) |
Paid Memberships Pro | Cross-Site Request Forgery to Membership Modification (BAC) |
Patreon WordPress | Image Protection Bypass (BAC) |
Pearl | Missing Authorization (BAC) to Unauthenticated Arbitrary Site Options Deletion (BAC) |
Pexels: Free Stock Photos | Arbitrary File Upload (BAC) |
Play.ht | Broken Access Control (BAC) |
Popup box | Broken Access Control (BAC) |
Popup Builder | Missing Authorization (BAC) in Multiple AJAX Actions |
Popup Builder | Missing Authorization (BAC) and Nonce Exposure |
ProfileGrid | Missing Authorization (BAC) |
Progress Planner | Broken Access Control (BAC) |
Promolayer | Missing Authorization (BAC) |
PropertyHive | Broken Access Control (BAC) |
QQWorld Auto Save Images | Missing Authorization (BAC) to Arbitrary Post Content Retrieval |
Radcliffe 2 Theme | Broken Access Control (BAC) |
Restrict for Elementor | Protection Mechanism Bypass (BAC) |
Robo Gallery | Cross-Site Request Forgery to Post Creation (BAC) |
Salon booking system | Unauthenticated Arbitrary File Upload (BAC) |
Salon booking system | Arbitrary File Deletion (BAC) |
Salon booking system | Missing Authorization (BAC) |
SC filechecker | Arbitrary File Deletion (BAC) |
Scheduling Plugin – Online Booking for WordPress | Unauthenticated Plugin Settings Reset (BAC) |
Sensei LMS | Broken Access Control (BAC) |
Sensei Pro (WC Paid Courses) | Broken Access Control (BAC) |
Simple COD Fees for WooCommerce | Broken Access Control (BAC) |
Sirv | Arbitrary File Upload (BAC) |
SiteGuard WP Plugin | Login Page Disclosure (BAC) |
Slider Responsive Slideshow – Image slider, Gallery slideshow | Broken Access Control (BAC) |
Smush Image Compression and Optimization | Resmush List Deletion (BAC) |
Social Link Pages | Missing Authorization (BAC) to Arbitrary Page Creation (BAC) and Cross-Site Scripting (XSS) |
Social Login Lite For WooCommerce | Authentication Bypass (BAC) |
Sparkle Demo Importer | Post/Pages/Attachements Deletion (BAC) and Demo Data Import |
Squeeze | Arbitrary File Upload (BAC) |
Startklar Elementor Addons | Unauthenticated Path Traversal to Arbitrary Directory Deletion (BAC) |
Strategery Migrations | Arbitrary File Deletion (BAC) |
Strong Testimonials | Improper Authorization to Views Modification (BAC) |
The Moneytizer | Missing Authorization (BAC) via multiple AJAX actions |
Tickera | Broken Access Control (BAC) |
Tickera | Ticket Deletion (BAC) |
Timetics | Broken Access Control (BAC) |
Timetics | Missing Authorization (BAC) to Limited Privilege Escalation (BAC) |
Tutor LMS | Insecure Direct Object Reference (IDOR) to Arbitrary Quiz Attempt Deletion (BAC) |
Uber Menu | Cross-Site Request Forgery to Settings Reset (BAC) |
Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
Uncanny Automator Pro | Cross-Site Request Forgery (CSRF) Leading to License Settings Reset (BAC) |
Uncanny Automator Pro | Unauthenticated License Settings Reset (BAC) |
Under Construction / Maintenance Mode from Acurax | IP Bypass (BAC) |
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | Broken Access Control (BAC) |
Upload Fields for WPForms | Broken Access Control (BAC) |
Upunzipper | Arbitrary File Deletion (BAC) |
User Profile Picture | Insecure Direct Object Reference (IDOR) to Profile Picture Update (BAC) |
User Registration | Missing Authorization (BAC) to Privilege Escalation (BAC) |
User Rights Access Manager | Broken Access Control (BAC) |
Wheel of Life | Missing Authorization (BAC) on Several AJAX Endpoints |
WishList Member X | Arbitrary File Deletion (BAC) |
WishList Member X | Privilege Escalation (BAC) |
WooBuddy | Broken Access Control (BAC) |
Woocommerce Customers Order History | Broken Access Control (BAC) |
WooCommerce Social Login | Email Verification Bypass (BAC) |
WooCommerce Tools | Missing Authorization (BAC) to Plugin Module Deactivation (BAC) |
WP Child Theme Generator | Unauthenticated Child Theme Creation (BAC) /Activation |
WP Dark Mode | Missing Authorization (BAC) |
wpDataTables | Missing Authorization (BAC) to DataTable Access & Modification (BAC) |
WP-DB-Table-Editor | Missing Authorization (BAC) to Database Access |
WP EasyCart | Broken Access Control (BAC) |
WP Force SSL & HTTPS SSL Redirect | Missing Authorization (BAC) to Settings Update (BAC) |
WP Job Manager - Resume Manager | Broken Access Control (BAC) |
WP Maintenance | IP Spoofing to Maintenance Mode Bypass (BAC) |
WP-Recall | Unauthenticated Payment Deletion (BAC) via delete_payment |
WP Reset (BAC) | Missing Authorization (BAC) to License Key Modification (BAC) |
WPS Hide Login | Login Page Disclosure (BAC) |
WP Time Slots Booking Form | Broken Access Control (BAC) |
WP Translate | Broken Access Control (BAC) |
WPUpper Share Buttons | Missing Authorization (BAC) |
Zita Elementor Site Library | Missing Authorization (BAC) |
WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
WordPress BAC & WP Broken Access Control reported in 2024: | 891 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.