Discover Tuta Mail: Turn ON Privacy. Take back your data with Tuta's encrypted email, calendar and contacts.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUL 2024 is a +44% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
Admin Notices Manager | Missing Authorization (BAC) to User Email Retrieval |
Advanced Contact form 7 DB | Missing Authorization (BAC) to Unauthenticated Information Disclosure (BAC) |
Advanced Custom Fields PRO | Broken Access Control (BAC) |
Advanced Custom Fields PRO | Broken Access Control (BAC) |
Album Gallery – WordPress Gallery | Broken Access Control (BAC) |
Ali2Woo Lite | Arbitrary File Upload (BAC) |
Ali2Woo Lite | Broken Access Control (BAC) |
Ali2Woo Lite | Broken Access Control (BAC) |
Ali2Woo Lite | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
Attire Blocks | Missing Authorization (BAC) |
Authorize.net Payment Gateway For WooCommerce | Insufficient Verification of Data Authenticity to Unauthenticated Payment Bypass (BAC) |
Auto Featured Image | Arbitrary File Upload (BAC) |
Awesome Support | Broken Access Control (BAC) |
Bookster | Unauthenticated Appointment Status Update (BAC) (BAC) |
Boostify Header Footer Builder for Elementor | Missing Authorization (BAC) to Page/Post Creation (BAC) |
Bosa Elementor Addons and Templates for WooCommerce | Broken Access Control (BAC) |
BuddyForms | Email Verification Bypass (BAC) due to Insufficient Randomness |
BuddyPress Cover | Arbitrary File Upload (BAC) |
CB (legacy) | Code/Timeframe/Booking Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
CF7 Google Sheets Connector | Missing Authorization (BAC) to Limited Site Configuration Update (BAC) |
Checkout Field Editor for WooCommerce (Pro) | Unauthenticated Arbitrary File Deletion (BAC) |
Church Admin | Broken Access Control (BAC) |
Claudio Sanches | Insufficient Verification of Data Authenticity to Order Payment Status Update (BAC) (BAC) |
Clever Fox | Missing Authorization (BAC) to arbitrary theme activation via clever-fox-activate-theme |
Contact Form Builder, Contact Widget | Bypass (BAC) |
ContentLock | Groups/Emails Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
ContentLock | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
ConvertKit | Broken Access Control (BAC) |
Cookie Consent | Broken Access Control (BAC) |
Copymatic – AI Content Writer & Generator | Broken Access Control (BAC) |
Countdown & Clock | Missing Authorization (BAC) to PHP Object Injection |
Custom Font Uploader | Missing Authorization (BAC) to Font Deletion (BAC) |
Dashboard To-Do List | Broken Access Control (BAC) |
Database Cleaner | Arbitrary File Read (BAC) |
Debug Log Manager | Broken Access Control (BAC) |
Defender Security | Broken Access Control (BAC) |
Demo Awesome | Broken Access Control (BAC) |
e2pdf | Broken Access Control (BAC) |
Easy Affiliate Links | Missing Authorization (BAC) to Settings Reset (BAC) |
Easy Forms for Mailchimp | Broken Access Control (BAC) |
Easy Image Collage | Missing Authorization (BAC) to Arbitrary Post Content Deletion (BAC) |
Elements kit Elementor addons | Unauthenticated Broken Access Control (BAC) |
Essential Real Estate | Insecure Direct Object Reference (IDOR) to Arbitrary Attachment Deletion (BAC) |
Extra Product Options for WooCommerce | Broken Access Control (BAC) |
Featured Image from URL | Broken Access Control (BAC) |
File Manager | Broken Access Control (BAC) |
Five Star Restaurant Menu | Missing Authorization (BAC) to Menu Creation (BAC) |
Folders Pro | Arbitrary File Upload (BAC) via handle_folders_file_upload |
FooEvents for WooCommerce | Arbitrary File Upload (BAC) |
Frontend Registration – Contact Form 7 | Privilege Escalation (BAC) |
GDPR CCPA Compliance Support | Missing Authorization (BAC) to Settings Update (BAC) and Cross-Site Scripting (XSS) |
Hercules Core | Arbitrary Settings Change/Access (BAC) |
Hide Dashboard Notifications | Missing Authorization (BAC) to Plugin Settings Modification (BAC) |
Ibtana | Broken Access Control (BAC) |
Ibtana | Unauthenticated Plugin Settings Update (BAC) |
Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery | Broken Access Control (BAC) |
Infographic Maker – iList | Arbitrary Title Update (BAC) |
Insert Post Ads | Broken Access Control (BAC) |
InstaWP Connect | Arbitrary File Upload (BAC) |
InstaWP Connect | Missing Authorization (BAC) to Unauthenticated API setup/Arbitrary Options Update (BAC) /Administrative User Creation (BAC) |
Integrate Google Drive | Broken Access Control (BAC) |
Kadence Blocks Pro | Arbitrary Option Access (BAC) |
Kanban Boards for WordPress | Broken Access Control (BAC) |
LA-Studio Element Kit for Elementor | Broken Access Control (BAC) |
LatePoint | Missing Authorization (BAC) and Private Information Exposure via IDOR |
Laybuy Payment Extension for WooCommerce | Broken Access Control (BAC) |
LearnPress | Private Information Disclosure (BAC) via JSON API |
Leyka | Broken Access Control (BAC) |
Lifeline Donation | Authentication Bypass (BAC) |
Login/Signup Popup | Missing Authorization (BAC) to Arbitrary Options Exposure (BAC) |
Login/Signup Popup | Missing Authorization (BAC) to Arbitrary Options Update (BAC) |
Login with phone number | Insecure Password Reset (BAC) Mechanism |
Market Exporter | Missing Authorization (BAC) to Arbitrary File Deletion (BAC) |
Master Addons for Elementor | Broken Access Control (BAC) on API |
Master Addons for Elementor | Missing Authorization (BAC) to MA Template Creation (BAC) or Modification (BAC) |
Masterstudy Elementor Widgets | Unauthenticated Broken Access Control (BAC) |
MasterStudy LMS | Broken Access Control (BAC) |
Materialis Theme | Missing Authorization (BAC) to Limited Arbitrary Options Update (BAC) |
Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow | Broken Access Control (BAC) |
Minimal Coming Soon & Maintenance Mode – Coming Soon Page | Missing Authorization (BAC) to Limited Settings Change |
MJ Update (BAC) History | Broken Access Control (BAC) |
Muslim Prayer Time BD | Settings Reset (BAC) via Cross-Site Request Forgery (CSRF) |
Netgsm | Broken Access Control (BAC) |
Newsletter - API addon (Premium) | Missing Authorization (BAC) to Email Subscribers Management |
Newspack Blocks | Arbitrary Directory Deletion (BAC) |
Newspack Blocks | Arbitrary File Upload (BAC) |
Newspack Blocks | Broken Access Control (BAC) |
Optinly | Broken Access Control (BAC) |
Page Builder Sandwich – Front-End Page Builder | Broken Access Control (BAC) |
Paid Memberships Pro | Cross-Site Request Forgery to Membership Modification (BAC) |
Patreon WordPress | Image Protection Bypass (BAC) |
Pearl | Missing Authorization (BAC) to Unauthenticated Arbitrary Site Options Deletion (BAC) |
Pexels: Free Stock Photos | Arbitrary File Upload (BAC) |
Play.ht | Broken Access Control (BAC) |
Popup box | Broken Access Control (BAC) |
Popup Builder | Missing Authorization (BAC) in Multiple AJAX Actions |
Popup Builder | Missing Authorization (BAC) and Nonce Exposure |
ProfileGrid | Missing Authorization (BAC) |
Progress Planner | Broken Access Control (BAC) |
Promolayer | Missing Authorization (BAC) |
PropertyHive | Broken Access Control (BAC) |
QQWorld Auto Save Images | Missing Authorization (BAC) to Arbitrary Post Content Retrieval |
Radcliffe 2 Theme | Broken Access Control (BAC) |
Restrict for Elementor | Protection Mechanism Bypass (BAC) |
Robo Gallery | Cross-Site Request Forgery to Post Creation (BAC) |
Salon booking system | Unauthenticated Arbitrary File Upload (BAC) |
Salon booking system | Arbitrary File Deletion (BAC) |
Salon booking system | Missing Authorization (BAC) |
SC filechecker | Arbitrary File Deletion (BAC) |
Scheduling Plugin – Online Booking for WordPress | Unauthenticated Plugin Settings Reset (BAC) |
Sensei LMS | Broken Access Control (BAC) |
Sensei Pro (WC Paid Courses) | Broken Access Control (BAC) |
Simple COD Fees for WooCommerce | Broken Access Control (BAC) |
Sirv | Arbitrary File Upload (BAC) |
SiteGuard WP Plugin | Login Page Disclosure (BAC) |
Slider Responsive Slideshow – Image slider, Gallery slideshow | Broken Access Control (BAC) |
Smush Image Compression and Optimization | Resmush List Deletion (BAC) |
Social Link Pages | Missing Authorization (BAC) to Arbitrary Page Creation (BAC) and Cross-Site Scripting (XSS) |
Social Login Lite For WooCommerce | Authentication Bypass (BAC) |
Sparkle Demo Importer | Post/Pages/Attachements Deletion (BAC) and Demo Data Import |
Squeeze | Arbitrary File Upload (BAC) |
Startklar Elementor Addons | Unauthenticated Path Traversal to Arbitrary Directory Deletion (BAC) |
Strategery Migrations | Arbitrary File Deletion (BAC) |
Strong Testimonials | Improper Authorization to Views Modification (BAC) |
The Moneytizer | Missing Authorization (BAC) via multiple AJAX actions |
Tickera | Broken Access Control (BAC) |
Tickera | Ticket Deletion (BAC) |
Timetics | Broken Access Control (BAC) |
Timetics | Missing Authorization (BAC) to Limited Privilege Escalation (BAC) |
Tutor LMS | Insecure Direct Object Reference (IDOR) to Arbitrary Quiz Attempt Deletion (BAC) |
Uber Menu | Cross-Site Request Forgery to Settings Reset (BAC) |
Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
Uncanny Automator Pro | Cross-Site Request Forgery (CSRF) Leading to License Settings Reset (BAC) |
Uncanny Automator Pro | Unauthenticated License Settings Reset (BAC) |
Under Construction / Maintenance Mode from Acurax | IP Bypass (BAC) |
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | Broken Access Control (BAC) |
Upload Fields for WPForms | Broken Access Control (BAC) |
Upunzipper | Arbitrary File Deletion (BAC) |
User Profile Picture | Insecure Direct Object Reference (IDOR) to Profile Picture Update (BAC) |
User Registration | Missing Authorization (BAC) to Privilege Escalation (BAC) |
User Rights Access Manager | Broken Access Control (BAC) |
Wheel of Life | Missing Authorization (BAC) on Several AJAX Endpoints |
WishList Member X | Arbitrary File Deletion (BAC) |
WishList Member X | Privilege Escalation (BAC) |
WooBuddy | Broken Access Control (BAC) |
Woocommerce Customers Order History | Broken Access Control (BAC) |
WooCommerce Social Login | Email Verification Bypass (BAC) |
WooCommerce Tools | Missing Authorization (BAC) to Plugin Module Deactivation (BAC) |
WP Child Theme Generator | Unauthenticated Child Theme Creation (BAC) /Activation |
WP Dark Mode | Missing Authorization (BAC) |
wpDataTables | Missing Authorization (BAC) to DataTable Access & Modification (BAC) |
WP-DB-Table-Editor | Missing Authorization (BAC) to Database Access |
WP EasyCart | Broken Access Control (BAC) |
WP Force SSL & HTTPS SSL Redirect | Missing Authorization (BAC) to Settings Update (BAC) |
WP Job Manager - Resume Manager | Broken Access Control (BAC) |
WP Maintenance | IP Spoofing to Maintenance Mode Bypass (BAC) |
WP-Recall | Unauthenticated Payment Deletion (BAC) via delete_payment |
WP Reset (BAC) | Missing Authorization (BAC) to License Key Modification (BAC) |
WPS Hide Login | Login Page Disclosure (BAC) |
WP Time Slots Booking Form | Broken Access Control (BAC) |
WP Translate | Broken Access Control (BAC) |
WPUpper Share Buttons | Missing Authorization (BAC) |
Zita Elementor Site Library | Missing Authorization (BAC) |
WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
WordPress BAC & WP Broken Access Control reported in 2024: | 891 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of one cup of coffee for a managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.