Discover Tuta Mail: Turn ON Privacy. Take back your data with Tuta's encrypted email, calendar and contacts.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUN 2024 is a -58% DECREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
ACF Front End Editor | Missing Authorization (BAC) to Arbitrary Content Update |
ACF On-The-Go | Missing Authorization (BAC) to Arbitrary Content Update |
AdFoxly – Ad Manager, AdSense Ads & Ads.txt | Broken Access Control (BAC) |
Advanced Custom Fields PRO | Arbitrary Function Execution (BAC) |
AI Engine: ChatGPT Chatbot | Arbitrary File Upload (BAC) |
Aiomatic | Broken Access Control (BAC) |
All-in-One Video Gallery | Arbitrary File Upload (BAC) via featured image |
ApplyOnline – Application Form Builder and Manager | Missing Authorization (BAC) to Private Information Exposure |
AppPresser | Improper Missing Encryption Exception Handling to Authentication Bypass (BAC) |
Back In Stock Notifier for WooCommerce | Unauthenticated Arbitrary Shortcode Execution (BAC) |
Base64 Encoder/Decoder | Settings Reset (BAC) via Cross-Site Request Forgery (CSRF) |
Blocksy Companion | Cross-Site Scripting (XSS) via SVG Upload (BAC)s |
BookingPress | Appointment Duration Manipulation (BAC) |
Booster for WooCommerce | Unauthenticated Arbitrary Shortcode Execution (BAC) |
Brizy – Page Builder | Missing Authorization (BAC) |
Builder for WooCommerce reviews shortcodes – ReviewShort | Broken Access Control (BAC) |
Bulk Posts Editing For WordPress | Missing Authorization (BAC) |
canvasio3D Light | Arbitrary File Upload (BAC) |
ChatBot | Missing Authorization (BAC) via multiple functions |
ClickCease Click Fraud Protection | Improper Authorization (BAC) to Private information exposure via get_settings |
Comparison Slider | Missing Authorization (BAC) |
Contact Form by WPForms | Unauthenticated Price Manipulation (BAC) |
Contact Form & Lead Form Elementor Builder | Arbitrary Shortcode Execution (BAC) |
Contact List – Easy Business Directory, Staff Directory and Address Book Plugin | Broken Access Control (BAC) |
ConvertPlus | Missing Authorization (BAC) to Limited Arbitrary Options Update |
Copymatic – AI Content Writer & Generator | Unauthenticated Arbitrary File Upload (BAC) |
Cost Calculator Builder Pro | Unauthenticated Cross-Site Scripting (XSS) via SVG Upload (BAC) |
Crafthemes Demo Import | Arbitrary Plugin Installation (BAC) |
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler | Broken Access Control (BAC) |
Different Menu in Different Pages | Missing Authorization (BAC) to Menu Duplication |
Download Monitor | Missing Authorization (BAC) |
EAN for WooCommerce | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
Edwiser Bridge | Authentication Bypass (BAC) due to Missing Empty Value Check |
Element Pack Elementor Addons | Form Submission Admin Email Bypass (BAC) |
Email Subscribers & Newsletters | Missing Authorization (BAC) in handle_ajax_request |
EmbedPress | Insufficient Authorization (BAC) Checks |
Event post | Missing Authorization (BAC) |
Fastly | Broken Access Control (BAC) |
Fastly | Broken Access Control (BAC) |
Flo Forms | Broken Access Control (BAC) |
FluentForm | Missing Authorization (BAC) to Setting Manipulation (BAC) |
FluentForm | Missing Authorization (BAC) to Settings Update (BAC) and Limited Privilege Escalation (BAC) |
Giveaways and Contests by RafflePress | Broken Access Control (BAC) |
Hash Form – Drag & Drop Form Builder | Unauthenticated Arbitrary File Upload (BAC) to Remote Code Execution (RCE) |
HT Mega | Missing Authorization (BAC) to Options Update |
If-So Dynamic Content Personalization | Broken Access Control (BAC) |
Import and export users and customers | Broken Access Control (BAC) |
iPages Flipbook | Broken Access Control (BAC) |
Kognetiks Chatbot for WordPress | Arbitrary File Upload (BAC) |
LeadConnector | API Broken Access Control (BAC) |
LearnPress | Arbitrary File Upload (BAC) |
LearnPress | Unauthenticated Bypass (BAC) to User Registration |
Login with phone number | Broken Access Control (BAC) |
Login with phone number | Authentication Bypass (BAC) |
MC Woocommerce Wishlist | Broken Access Control (BAC) |
MC Woocommerce Wishlist | Broken Access Control (BAC) |
Menu Icons by ThemeIsle | Cross-Site Scripting (XSS) via SVG Upload (BAC) |
Netgsm | Broken Access Control (BAC) |
Optimole | Cross-Site Scripting (XSS) via SVG Upload (BAC) |
Orders Tracking for WooCommerce | Unauthenticated Arbitrary Shortcode Execution (BAC) |
Password Protected | Missing Authorization (BAC) to Private Information Exposure |
Photo Gallery by 10Web | Broken Access Control (BAC) |
Pk Favicon Manager | Arbitrary File Upload (BAC) |
Post Grid Master | Broken Access Control (BAC) |
Premium Addons for Elementor | Missing Authorization (BAC) to Private Information Disclosure |
Radio Player | Broken Access Control (BAC) |
reCAPTCHA Jetpack | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
ReviewX | Missing Authorization (BAC) |
Serial Numbers for WooCommerce – License Manager | Broken Access Control (BAC) |
Shared Counts | Missing Authorization (BAC) to Arbitrary Email Sending |
Shared Files | Broken Access Control (BAC) |
ShopLentor | Missing Authorization (BAC) via purchased_new_products |
ShopLentor | Missing Authorization (BAC) to WordPress Option Modification |
Simple Basic Contact Form | Unauthenticated Arbitrary Shortcode Execution (BAC) |
SimpleShop | Missing Authorization (BAC) |
Slider Revolution | Unauthenticated Broken Access Control (BAC) |
Social Connect | Authentication Bypass (BAC) |
Spectra Pro | Privilege Escalation (BAC) |
SportsPress – Sports Club & League Manager | Broken Access Control (BAC) |
SP Project & Document Manager | Data Update (BAC) and File Download (BAC) via IDOR |
Startklar Elementor Addons | Unauthenticated Arbitrary File Upload (BAC) |
StopBadBots | Missing Authorization (BAC) to Private Information Expsoure |
Swift Framework | Missing Authorization (BAC) to Unauthenticated Arbitrary Content Update |
Swift Performance Lite | Incorrect Authorization (BAC) to Settings Modification |
Swiss Toolkit For WP | Authentication Bypass (BAC) |
Tagembed | Broken Access Control (BAC) |
Testimonial Carousel For Elementor | Missing Authorization (BAC) to Limited Setting Update |
The Post Grid | Missing Authorization (BAC) |
Tutor LMS | Missing Authorization (BAC) |
Tutor LMS Pro | Missing Authorization (BAC) |
Tutor LMS Pro | Missing Authorization (BAC) to Privilege Escalation (BAC) |
Tutor LMS Pro | Missing Authorization (BAC) to SQL Injection (SQLi) |
Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery | Broken Access Control (BAC) |
Video Gallery & Management | Missing Authorization (BAC) to Arbitrary Post/Page Creation |
weDocs | Broken Access Control (BAC) |
weMail | Broken Access Control (BAC) |
White Label CMS | Missing Authorization (BAC) to Plugin Settings Reset |
WordPress Meta Data and Taxonomies Filter (MDTF) | Arbitrary Shortcode Execution (BAC) |
WordPress Pie Register - Social Sites Login (Add on) plugin | - Authentication Bypass (BAC) |
WP Compress – Image Optimizer [All-In-One] | Missing Authorization (BAC) |
WP Discourse | Broken Access Control (BAC) |
WP Fundraising Donation and Crowdfunding Platform | Broken Access Control (BAC) |
WP Latest Posts | Arbitrary Shortcode Execution (BAC) |
WP Photo Album Plus | Unauthenticated Arbitrary Shortcode Execution (BAC) |
WP Photo Album Plus | Unauthenticated Arbitrary File Upload (BAC) |
WP Post Author | Rating Value Manipulation (BAC) |
WP Post Author | Broken Access Control (BAC) |
WP Scraper | Missing Authorization (BAC) to Arbitrary Page/Post Creation |
WP STAGING – Backup Duplicator & Migration | Arbitrary File Upload (BAC) |
WpTravelly | Missing Authorization (BAC) via ttbm_new_place_save |
YITH WooCommerce Gift Cards | Multiple BAC - Missing Authorization to Unauthenticated WooCommerce Settings Update |
Yumpu ePaper publishing | Multiple BAC - Missing Authorization, PDF Upload, Publishing, API Key Modification |
Z-Downloads | Arbitrary File Upload (BAC) |
WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
WordPress BAC & WP Broken Access Control reported in 2024: | 728 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of one cup of coffee for a managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.