WP BAC JUN 2025

WP BAC JUN 2025: Brutal 174 WP Broken Access Control (infographic)

Sponsored by:

Everything about: IMAGE AI, TEXT AI, VIDEO AI, VOICE AI tools - 😍 Creator Economy #2025 - AI generator tools Investment worthy tips for WordPress, WooCommerce, SaaS and Shopify.

Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC JUN 2025 is a -53% DECREASE, compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.

WP BAC JUN 2025: Brutal 174 WP Broken Access Control (infographic)
Contact your online project manager:

Order managed services

Fast forward into your future: your business is on autopilot, yet you are in control. Your business niche integrations still work, your partners and your customers are happy.

There hasn’t been a crisis or “online emergency” in ages, and all your reports are OK and green. Whimsical? The future is already here. Step into your future today.

WP BAC JUN 2025

As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:

1 Click WordPress Migration Missing Authorization (BAC) and Arbitrary File Upload (BAC)
6Storage Rentals Broken Access Control (BAC)
Acerola Theme Broken Access Control (BAC)
Advanced File Manager Broken Access Control (BAC) and Notice Dismissal
AHAthat Cross-Site Request Forgery (CSRF) and AHA Page Deletion (BAC)
Ajar in5 Embed Arbitrary File Upload (BAC)
AnyWhere Elementor Pro Theme Broken Access Control (BAC)
BEAF Arbitrary File Upload (BAC)
belingoGeo Arbitrary File Download (BAC)
BERTHA AI Broken Access Control (BAC)
Blocksy Theme Broken Access Control (BAC)
Booking and Rental Manager Broken Access Control (BAC)
Bot for Telegram on WooCommerce Broken Access Control (BAC)
Browse As Authentication Bypass (BAC) from Cookie
BTEV Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
BuddyPress Platform Pro Authentication Bypass (BAC) from Apple OAuth provider
Bulk Featured Image Broken Access Control (BAC)
Calculate Prices based on Distance For WooCommerce Broken Access Control (BAC)
Challan Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC)
ClickWhale Broken Access Control (BAC)
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd Missing Authorization (BAC) and Private Information Exposure
ContentStudio Broken Access Control (BAC)
CouponXL Theme Privilege Escalation (BAC)
Cozy Blocks Broken Access Control (BAC)
Crawlomatic Multisite Scraper Post Generator Unauthenticated Arbitrary File Upload (BAC)
CryptoCloud Crypto Payment Gateway Broken Access Control (BAC)
CSS3 Accordions for WordPress Broken Access Control (BAC)
CSS3 Compare Pricing Tables for WordPress Broken Access Control (BAC)
CSS3 Tooltips for WordPress Broken Access Control (BAC)
CURCY Arbitrary Shortcode Execution (BAC)
Custom Author Base Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
Digits Auth Bypass (BAC) from OTP Bruteforcing
Drag and Drop File Upload (BAC) for Elementor Forms Arbitrary File Deletion (BAC)
Drag and Drop Multiple File Upload (BAC) for WooCommerce Unauthenticated Arbitrary File Upload (BAC) from upload Function
eaSYNC PayPal Settings Update (BAC)
Echo RSS Feed Post Generator Plugin for WordPress Unauthenticated Arbitrary File Upload (BAC)
EKC Tournament Manager Arbitrary File Download (BAC)
Element Pack Pro Broken Access Control (BAC)
ELEX WordPress HelpDesk & Customer Ticketing System Arbitrary File Upload (BAC)
eMagicOne Store Manager Unauthenticated Arbitrary File Deletion (BAC)
eMagicOne Store Manager Unauthenticated Arbitrary File Read (BAC)
eMagicOne Store Manager Unauthenticated Arbitrary File Upload (BAC) from set_file()
Embed and Integrate Etsy Shop Broken Access Control (BAC)
Envo Extra Broken Access Control (BAC)
Envolve Plugin Unauthenticated Arbitrary File Upload (BAC) from language_file and fonts_file
Envolve Plugin Unauthenticated Language File Deletion (BAC)
EUCookieLaw Unauthenticated Arbitrary File Read (BAC)
Event Calendar Unauthenticated Arbitrary Calendar Deletion (BAC)
Eventer Broken Access Control (BAC)
Eventin Arbitrary File Download (BAC)
Eventin Privilege Escalation (BAC)
EventON Broken Access Control (BAC)
EventON Missing Authorization (BAC) and Cross-Site Scripting (XSS)
EventON Broken Access Control (BAC)
EventPrime Arbitrary booking Settings Update (BAC)
Experto CTA Widget – Call and Action, Sticky CTA, Floating Button Plugin Settings Change (BAC)
External image replace Arbitrary File Upload (BAC)
Featured Image Plus Missing Authorization (BAC) and Featured Image Update
Flynax Bridge Unauthenticated Privilege Escalation (BAC)
Frontend Dashboard Missing Authorization (BAC) and Unauthenticated Privilege Escalation (BAC)
Frontend Dashboard Missing Authorization (BAC) and Privilege Escalation (BAC)
Frontend Login and Registration Blocks Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC)
GDPR CCPA Compliance Support Broken Access Control (BAC)
Graphina Broken Access Control (BAC)
Groundhogg Arbitrary File Deletion (BAC)
GS Logo Slider Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
GS Testimonial Slider Broken Access Control (BAC)
GS Variation Swatches for WooCommerce Broken Access Control (BAC)
Homey Theme Missing Authorization (BAC) and Arbitrary Reservation & Post Deletion
Hospital Management System Arbitrary File Upload (BAC)
Hospital Management System Privilege Escalation (BAC)
HotStar – Multi-Purpose Business Theme Broken Access Control (BAC)
IMITHEMES Listing Unauthenticated Privilege Escalation (BAC) from Unverified Password Reset (BAC)
Infocob CRM Forms Arbitrary File Download (BAC)
Instantio Arbitrary File Upload (BAC)
Jetpack Unauthenticated Arbitrary Block & Shortcode Execution (BAC)
Jetpack Debug Tools Broken Access Control (BAC)
JP Students Result Management System Premium Arbitrary File Upload (BAC)
KBx Pro Ultimate Arbitrary File Deletion (BAC)
LayoutBoxx Unauthenticated Arbitrary Shortcode Execution (BAC)
Lead Form Data Collection and CRM Arbitrary Option Update and Privilege Escalation (BAC)
Leadinfo Settings Change (BAC)
Legal Pages Broken Access Control (BAC)
LessButtons Social Sharing and Statistics Cross-Site Request Forgery (CSRF) and Settings Change (BAC)
LocateAndFilter Broken Access Control (BAC)
Login Lockdown Missing Authorization (BAC) and Arbitrary IP Whitelisting
Majestic Support Broken Access Control (BAC)
MapSVG Broken Access Control (BAC)
MapSVG Broken Access Control (BAC)
MapSVG Arbitrary Shortcode Execution (BAC)
MasterStudy LMS Pro Arbitrary File Upload (BAC)
Media Hygiene Broken Access Control (BAC)
Motors Theme Unauthenticated Arbitrary Shortcode Execution (BAC)
Motors Theme Unauthenticated Privilege Escalation (BAC) from Password Update (BAC)/Account Takeover (BAC)
MStore API Unauthenticated Privilege Escalation (BAC)
MStore API Missing Authorization (BAC) and Posts Creation
Music Player for WooCommerce Broken Access Control (BAC)
Nomupay Payment Processing Gateway Arbitrary File Download (BAC)
Ntz Antispam Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
Opal Woo Custom Product Variation Arbitrary File Deletion (BAC)
OTP-less one tap Sign in Unauthenticated Arbitrary Email Update and Account Takeover (BAC)/Privilege Escalation (BAC)
Ovation Elements Broken Access Control (BAC)
PeproDev Ultimate Profile Solutions Authentication Bypass (BAC) and Account Takeover (BAC)
PeproDev Ultimate Profile Solutions Missing Authorization (BAC) and Unauthenticated Arbitrary User Meta Update
PeproDev Ultimate Profile Solutions Missing Authorization (BAC) and Unauthenticated Email Enumeration
PGS Core Missing Authorization (BAC) from Multiple Functions
Pinterest Automatic Pin Broken Access Control (BAC)
Printcart Web and Print Product Designer for WooCommerce Arbitrary File Upload (BAC)
Product Quantity Dropdown For Woocommerce Cross-Site Request Forgery (CSRF) and Settings Change (BAC)
ProfileGrid Broken Access Control (BAC)
Projectopia Broken Access Control (BAC)
Property Missing Authorization (BAC) and Privilege Escalation (BAC) from property_package_user_role Metadata in PayPal Registration
Push notification for Mobile and Web app Broken Access Control (BAC)
QS Dark Mode Broken Access Control (BAC)
QuickCal Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC)
QuickCal Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC)
Rankie Broken Access Control (BAC)
Reales WP STPT Privilege Escalation (BAC) from Password Update (BAC)
Reales WP STPT Unauthorized User Registration (BAC)
Responsive Plus Broken Access Control (BAC)
Rootspersona Broken Access Control (BAC)
Rozario Theme Broken Access Control (BAC)
RS WP Book Showcase Arbitrary Shortcode Execution (BAC)
Salon Booking Pro Broken Access Control (BAC)
Secure Downloads Arbitrary File Download (BAC)
Sharespine Woocommerce Connector Broken Access Control (BAC)
Shortlinks by Pretty Links Broken Access Control (BAC)
Simple Business Directory Pro Privilege Escalation (BAC)
Simple File List Settings Change (BAC)
Simple Link Directory Pro Broken Access Control (BAC)
Simple Nav Archives Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
SMS Alert Order Notifications – WooCommerce Privilege Escalation (BAC) from handleWpLoginCreateUserAction Function
Splitit Missing Authorization (BAC) and Multiple Administrative Actions
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Privilege Escalation (BAC)
STAGGS Arbitrary File Upload (BAC)
StoreKeeper for WooCommerce Arbitrary File Upload (BAC)
StyleAI Broken Access Control (BAC)
Subaccounts for WooCommerce Account Takeover (BAC)
Tainacan Arbitrary File Deletion (BAC)
The Business Theme Broken Access Control (BAC)
The Events Calendar Broken Access Control (BAC)
TheGem Theme Arbitrary File Upload (BAC)
TheGem Theme Missing Authorization (BAC) and Arbitrary Theme Options Update
The Plus Addons for Elementor Pro Broken Access Control (BAC)
The Ultimate WordPress Toolkit – WP Extended Cross-Site Scripting (XSS) from SVG File Upload (BAC)
TicketBAI Facturas para WooCommerce Unauthenticated Arbitrary File Deletion (BAC)
TI WooCommerce Wishlist Arbitrary File Upload (BAC)
Tours Broken Access Control (BAC)
Travelpayouts Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
TwitterPosts Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
Uncanny Automator Missing Authorization (BAC) and Plugin Settings Update (BAC)
Url Rewrite Analyzer Broken Access Control (BAC)
User Profile Meta Manager Cross-Site Request Forgery (CSRF) and Privilege Escalation (BAC)
Visual Builder Broken Access Control (BAC)
Visual Header Broken Access Control (BAC)
Web3Press Arbitrary File Read (BAC)
Wholesale Market Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
Widgets Reset Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
Wiki Embed Cross-Site Request Forgery (CSRF) and Settings Change (BAC)
Wishlist Broken Access Control (BAC)
Wolmart Theme Unauthenticated Arbitrary Shortcode Execution (BAC)
Woocommerce Multiple Addresses Privilege Escalation (BAC)
WooCommerce POS Broken Access Control (BAC)
Woo Slider Pro Arbitrary Content Deletion (BAC)
Woo Slider Pro Missing Authorization (BAC) and Arbitrary Post Deletion from woo_slide_pro_delete_draft_preview
Wordpress Auto Spinner Broken Access Control (BAC)
WPBookit Insecure Direct Object Reference and Unauthenticated Privilege Escalation (BAC) from Account Takeover (BAC)
WPBot Pro Wordpress Chatbot Arbitrary File Deletion (BAC)
WP Job Portal Arbitrary File Download (BAC)
WP Mapa Politico España Cross-Site Request Forgery (CSRF) and Settings Change (BAC)
WP shop Privilege Escalation (BAC) from Account Takeover (BAC)
Year Make Model Search for WooCommerce Cross-Site Request Forgery (CSRF) and Settings Change (BAC)
Z-Downloads Arbitrary File Upload (BAC)
百度站长SEO合集(支持百度/神马/Bing/头条推送) Unauthenticated Arbitrary File Upload (BAC)
WordPress BAC & WP Broken Access Control reported in 2023: 931
WordPress BAC & WP Broken Access Control reported in 2024: 2024
WordPress BAC & WP Broken Access Control reported in 2025: 1377
Contact your online project manager:

Get managed security

Fast forward 2-3 years: your business is on autopilot, yet you are in control. Your website is humming along, leads & customers are rolling in.

There hasn’t been a crisis or “website emergency” in ages, and all your charts are pointing up and to the right. Whimsical? The future is already here. Step into your future today.

Table Of Contents


A cup of coffee makes a difference ...

How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:

ultrai.ae managed online administration © 2023 - 2025 – All rights reserved
We’re on an empowering mission for customers, who desire not to be transformed forcefully into IT experts.
ultrai.ae