🔬 Conversion Rate Optimisation for your 🌐 WordPress & 🛒 WooCommerce: skyrocket sales with modern proven methods! The purpose of recurrent CRO services is to constantly improve the likelihood of visitors taking your desired action on your domain.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC NOV 2024 is a +172% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| 1-Click Login: Passwordless Authentication | Broken Authentication (BAC) |
| 3D Work In Progress | Arbitrary File Deletion (BAC) |
| 3D Work In Progress | Arbitrary File Upload (BAC) |
| AADMY | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| ACF Images Search And Insert | Arbitrary File Upload (BAC) |
| Acnoo Flutter API | Account Takeover (BAC) |
| Adding drop down roles in registration | Privilege Escalation (BAC) |
| aDirectory | Arbitrary File Upload (BAC) |
| Advanced Advertising System | PHP Object Injection (BAC) |
| Advanced Custom Fields | Missing Authorization (BAC) on Option Changes (BAC) |
| Advanced Custom Fields | Missing Authorization (BAC) to Private Information Disclosure |
| Advanced Custom Fields | Missing Authorization (BAC) to Private Information Disclosure |
| Advanced Custom Fields PRO | Missing Authorization (BAC) on Option Changes (BAC) |
| Advanced Custom Fields PRO | Missing Authorization (BAC) to Private Information Disclosure |
| Advanced Custom Fields PRO | Missing Authorization (BAC) to Private Information Disclosure |
| Affiliate Pro - Affiliate Program for WooCommerce & WordPress | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| Affiliator | Arbitrary File Upload (BAC) |
| Aggregator Advanced Settings | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Ahime Image Printer | Arbitrary File Download (BAC) |
| AI Image Generator for Your Content & Featured Images – AI Postpix | Arbitrary File Upload (BAC) |
| Ajar in5 Embed | Arbitrary File Upload (BAC) |
| All Post Contact Form | Arbitrary File Upload (BAC) |
| AMP for WP | Cross-Site Request Forgery to Privilege Escalation (BAC) |
| Analyse Uploads | Arbitrary File Deletion (BAC) |
| App Builder | Privilege Escalation (BAC) and Account Takeover (BAC) from Weak OTP |
| AppPresser | Privilege Escalation (BAC) and Account Takeover (BAC) from Weak OTP |
| AR For Woocommerce | Arbitrary File Upload (BAC) |
| AR For WordPress | Arbitrary File Upload (BAC) |
| Automatic Translation | Arbitrary File Upload (BAC) |
| AVIF & SVG Uploader | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Azz Anonim Posting | Arbitrary File Upload (BAC) |
| Backup and Staging by WP Time Capsule | PHP Object Injection (BAC) |
| Best Restaurant Menu by PriceListo | Broken Access Control (BAC) |
| Bit File Manager | Limited JavaScript File Upload (BAC) |
| Bit Form – Contact Form Plugin | Improper Input Validation to Arbitrary File Read (BAC) |
| Black Widgets For Elementor | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Bold Page Builder | Broken Access Control (BAC) |
| Bot for Telegram on WooCommerce | Telegram Bot Token Disclosure to Authentication Bypass (BAC) |
| Branding | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Breeze | Broken Access Control (BAC) |
| Bridge Core | Missing Authorization (BAC) to Demo Import |
| Bstone Demo Importer | Privilege Escalation (BAC) |
| BuddyPress | Directory Traversal (BAC) |
| BuddyPress Better Registration | Broken Authentication (BAC) |
| Bulk Change Role | Privilege Escalation (BAC) |
| Bulk images optimiser | Missing Authorization (BAC) to Plugin Options Update (BAC) |
| Calculated Fields Form | HTML Injection (BAC) |
| Category Icon | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Code Explorer | External File Read (BAC)ing |
| Contact Form 7 Telegram | Missing Authorization (BAC) to Subscription Approve and Pause and Refuse |
| Cooked Pro | Unauthenticated Arbitrary File Upload (BAC) |
| Creates 3D Flipbook, PDF Flipbook | Arbitrary File Upload (BAC) |
| Crypto | Authentication Bypass (BAC) from log_in |
| Crypto | Authentication Bypass (BAC) from register |
| Crypto | Cross-Site Request Forgery to Authentication Bypass (BAC) |
| CubeWP – All-in-One Dynamic Content Framework | Broken Access Control (BAC) |
| Custom Icons for Elementor | Arbitrary File Upload (BAC) |
| Debrandify | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Demo Importer Plus | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Digital Lottery | Arbitrary File Upload (BAC) |
| Disc Golf Manager | PHP Object Injection (BAC) |
| Download Monitor | Missing Authorization (BAC) to API Key Manipulation |
| Download Monitor | Missing Authorization (BAC) to Private Information Exposure |
| Download Plugin | Missing Authorization (BAC) to User Metadata and Comment Download |
| DS.DownloadList | PHP Object Injection (BAC) |
| Easy Demo Importer | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Easy Menu Manager | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Easy Post Types | Missing Authorization (BAC) from Multiple Functions |
| Easy Post Types | PHP Object Injection (BAC) |
| Echo RSS Feed Post Generator Plugin for WordPress | Unauthenticated Privilege Escalation (BAC) |
| Editorial Assistant by Sovrn | Missing Authorization (BAC) to Attachment Upload and Set Post Featured Image |
| EKC Tournament Manager | Cross-Site Request Forgery (CSRF) to Arbitrary File Upload (BAC) |
| Elastik Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Elemenda | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| ElementsReady Addons for Elementor | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Email Subscribers & Newsletters | Arbitrary Shortcode Execution (BAC) |
| Empowerment Theme | PHP Object Injection (BAC) |
| Enable Shortcodes inside Widgets,Comments and Experts | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| Exam Matrix | Privilege Escalation (BAC) |
| Extensions by HocWP Team | Authentication Bypass (BAC) |
| Feed Comments Number | Arbitrary File Upload (BAC) |
| File Manager Pro | Cross-Site Request Forgery to Arbitrary File Upload (BAC) |
| File Manager Pro | Unauthenticated Backup File Download (BAC) and Upload |
| File Manager Pro | Unauthenticated Limited JavaScript File Upload (BAC) |
| FileOrganizer | Arbitrary File Upload (BAC) |
| Fonto | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Forminator | Missing Authorization (BAC) to Form Update (BAC) and Creation |
| FREE DOWNLOAD MANAGER | Arbitrary File Deletion (BAC) |
| Free Stock Photos Foter | PHP Object Injection (BAC) |
| GERRYWORKS Post by Mail | Privilege Escalation (BAC) |
| Giveaway Boost | PHP Object Injection (BAC) |
| GiveWP | Unauthenticated PHP Object Injection (BAC) to Remote Code Execution (RCE) |
| Greenshift – animation and page builder blocks | Broken Access Control (BAC) |
| GRÜN spendino Spendenformular | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| GutenKit | Unauthenticated Arbitrary File Upload (BAC) |
| Happy Addons for Elementor | Broken Access Control (BAC) |
| Hash Form | Unauthenticated Limited File Upload (BAC) |
| HD Quiz – Save Results Light | Broken Access Control (BAC) |
| Hello World | Arbitrary File Read (BAC) |
| Htaccess File Editor | Broken Access Control (BAC) |
| Hunk Companion | Missing Authorization (BAC) to Unauthenticated Arbitrary Plugin Installation and Activation |
| HurryTimer | Missing Authorization (BAC) to Arbitrary Post Publication |
| iBryl Switch User | Account Takeover (BAC) |
| Image Map Pro | Missing Authorization (BAC) to Map Project Add and Update and Delete |
| ImagePress | Cross-Site Request Forgery to Plugin Settings Update (BAC) |
| ImagePress | Missing Authorization (BAC) to Arbitrary Post Deletion (BAC) and Post Title Update (BAC) |
| Infinite-Scroll | Cross-Site Request Forgery to Plugin Settings Update (BAC) |
| INK Official | Arbitrary File Upload (BAC) |
| IP Loc8 | PHP Object Injection (BAC) |
| JiangQie Free Mini Program | Arbitrary File Upload (BAC) |
| Job Board Manager for WordPress | Privilege Escalation (BAC) |
| Kata Plus | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| KB Support | Missing Authorization (BAC) to Multiple Administrator Actions |
| KB Support | Missing Authorization (BAC) to Unauthenticated Ticket Reply Exposure |
| Landing Page Cat | Broken Access Control (BAC) |
| LatePoint | Authentication Bypass (BAC) |
| Leyka | Broken Access Control (BAC) |
| Linkz.ai | Missing Authorization (BAC) to Plugin Settings Update (BAC) |
| Linkz.ai | Missing Authorization (BAC) to Unauthenticated Plugin Settings Update (BAC) |
| LiteSpeed Cache | Privilege Escalation (BAC) |
| LocateAndFilter | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Login Protection – Limit Failed Login Attempts | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| MaanStore API | Account Takeover (BAC) |
| Mapster WP Maps | Incorrect Authorization to Arbitrary Options Update (BAC) |
| Marketing Automation by AZEXO | Arbitrary File Upload (BAC) |
| Marketing Automation by AZEXO | Privilege Escalation (BAC) |
| Masteriyo - LMS | Missing Authorization (BAC) to Privilege Escalation (BAC) |
| Meetup | Broken Authentication (BAC) |
| Miniorange OTP Verification with Firebase | Authentication Bypass (BAC) |
| Miniorange OTP Verification with Firebase | Privilege Escalation (BAC) from Registration due to Administrator Default User Role Value |
| Multiline files upload for contact form 7 | Missing Authorization (BAC) to Plugin Deactivation |
| Multi Purpose Mail Form | Arbitrary File Upload (BAC) |
| Multi Purpose Mail Form | Arbitrary File Upload (BAC) |
| Multi Step Form | Broken Access Control (BAC) |
| Mynx Page Builder | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| My Reading Library | PHP Object Injection (BAC) |
| My Wp Brand – Hide menu & Hide Plugin | Broken Access Control (BAC) |
| Namaste! LMS | PHP Object Injection (BAC) |
| Nextend Social Login Pro | Authentication Bypass (BAC) |
| Nice Backgrounds | Arbitrary File Upload (BAC) |
| Notification for Telegram | Missing Authorization (BAC) |
| Order Attachments for WooCommerce 2.0 | Missing Authorization (BAC) to Limited Arbitrary File Upload (BAC) |
| Order Notification for Telegram | Missing Authorization (BAC) to Unauthenticated Send Telegram Test Message |
| Pedalo Connector | Authentication Bypass (BAC) |
| PegaPoll | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| Photo Gallery Builder | Broken Access Control (BAC) to Notice Dismissal |
| photokit | Arbitrary File Upload (BAC) |
| Plugin Propagator | Arbitrary File Upload (BAC) |
| Plug your WooCommerce into the largest catalog of customized print products from Helloprint | Arbitrary File Upload (BAC) |
| Portfolleo | Arbitrary File Upload (BAC) |
| Product Customizer Light | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Product Website Showcase | Arbitrary File Upload (BAC) |
| ProfilePress Pro | Authentication Bypass (BAC) |
| Property Lot Management System | Arbitrary File Upload (BAC) |
| PublishPress Authors | Insecure Direct Object Reference (IDOR) to Arbitrary User Email Update (BAC) and Account Takeover (BAC) |
| PWA | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| QA Analytics | Missing Authorization (BAC) to Settings Update (BAC) |
| QS Dark Mode | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| R Animated Icon | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Rank Math SEO | PHP Object Injection (BAC) |
| Rank Math SEO | Missing Authorization (BAC) to Unauthenticated User and Term Metadata Insert, Update (BAC), and Delete |
| Read more By Adam | Missing Authorization (BAC) to Read More Button Deletion (BAC) |
| Realty Workstation | Account Takeover (BAC) |
| Recently | PHP Object Injection (BAC) |
| Relogo | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Re:WP | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Robo Gallery | Missing Authorization (BAC) to Private Gallery Title Disclosure |
| Rover IDX | Missing Authorization (BAC) from Multiple Functions |
| Rover IDX | Authentication Bypass (BAC) to Administrator |
| RS-Members | Privilege Escalation (BAC) |
| RSVPMaker for Toastmasters | Arbitrary File Upload (BAC) |
| SendGrid for WordPress | Missing Authorization (BAC) to Log Deletion (BAC) |
| SEOPress | Broken Access Control (BAC) |
| SEOPress | Broken Access Control (BAC) |
| SEOPress | Unauthenticated Broken Access Control (BAC) |
| Shipyaari Shipping Management | PHP Object Injection (BAC) |
| Shortcodes AnyWhere | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| ShortPixel Image Optimiser | Broken Access Control (BAC) |
| Signup Page | Arbitrary Option Update (BAC) to Privilege Escalation (BAC) |
| Simple Custom Post Order | Broken Access Control (BAC) |
| Simple Membership | Open Redirection (BAC) |
| Simple User Registration | Account Takeover (BAC) |
| Sirv | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| SiteBuilder Dynamic Components | PHP Object Injection (BAC) |
| Slider Revolution | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Smart Manager | Broken Access Control (BAC) |
| Social Web Suite | Directory Traversal (BAC) to Arbitrary File Download (BAC) |
| Soumettre.fr | Missing Authorization (BAC) |
| Sovratec Case Management | Arbitrary File Upload (BAC) |
| Spice Starter Sites | Missing Authorization (BAC) to Unauthenticated Demo Content Import |
| Stackable | Unauthenticated CSS Injection (BAC) |
| Stacks Mobile App Builder | Account Takeover (BAC) |
| Stacks Mobile App Builder | Arbitrary File Upload (BAC) |
| Stars SMTP Mailer | Arbitrary File Upload (BAC) |
| Sudan Payment Gateway for WooCommerce | Arbitrary File Upload (BAC) |
| Suki Sites Import | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Sunshine Photo Cart | Broken Access Control (BAC) |
| Sunshine Photo Cart | Open Redirection (BAC) |
| SurveyJS: Drag & Drop WordPress Form Builder | Arbitrary File Upload (BAC) |
| SVG Complete | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| TAKETIN To WP Membership | PHP Object Injection (BAC) |
| Talkback | PHP Object Injection (BAC) |
| Telecash Ricaricaweb | PHP Object Injection (BAC) |
| Templately | Broken Access Control (BAC) |
| Templately | Broken Access Control (BAC) |
| Timetable and Event Schedule | Missing Authorization (BAC) |
| Timetics | Insecure Direct Object Reference (IDOR) to Unauthenticated Arbitrary User Password and Email Reset and Account Takeover (BAC) |
| Token Login | Broken Authentication (BAC) |
| Training – Courses | Arbitrary File Upload (BAC) |
| Uix Shortcodes | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| UltimateAI | Authentication Bypass (BAC) |
| UltimateAI | Limited User Password Change (BAC) due to Improper Empty and Missing Default Value Check |
| UltraPress Theme | PHP Object Injection (BAC) |
| Unseen Blog Theme | PHP Object Injection (BAC) |
| UserPlus | Registration Form Update (BAC) to Privilege Escalation (BAC) |
| User Toolkit | Account Takeover (BAC) |
| Verbalize WP | Arbitrary File Upload (BAC) |
| WatchTowerHQ | Authentication Bypass (BAC) |
| WC Marketplace | Cross-Site Request Forgery to Vendor Update (BAC)s |
| WC Marketplace | Missing Authorization (BAC) to Forged Vendor ProFile Deletion (BAC) Email Sending |
| Wechat Social login | Authentication Bypass (BAC) |
| Wechat Social login | Unauthenticated Arbitrary File Upload (BAC) |
| WooCommerce | Unauthenticated HTML Injection (BAC) |
| Woocommerce Custom Profile Picture | Arbitrary File Upload (BAC) |
| WooCommerce Order Proposal | Privilege Escalation (BAC) from Order Proposal |
| WooCommerce PDF Invoices & Packing Slips | Broken Access Control (BAC) |
| Woocommerce Product Design | Arbitrary File Deletion (BAC) |
| Woocommerce Product Design | Arbitrary File Download (BAC) |
| Woocommerce Product Design | Arbitrary File Upload (BAC) |
| WooCommerce UPS Shipping – Live Rates and Access Points | Missing Authorization (BAC) to Plugin API key reset |
| Woostagram Connect | Arbitrary File Upload (BAC) |
| WordPress Comments Import & Export | Arbitrary File Read (BAC) from Directory Traversal (BAC) |
| WordPress File Upload (BAC) | Unauthenticated Path Traversal to Arbitrary File Read (BAC) and Deletion (BAC) in wfu_file_downloaderphp |
| WordPress Gallery Plugin – Limb Image Gallery | Arbitrary File Download (BAC) |
| WordPress Gallery Plugin – Limb Image Gallery | Arbitrary File Upload (BAC) |
| WordPress Meta Data and Taxonomies Filter (MDTF) | Bypass (BAC) |
| WordPress Stripe Donation and Payment Plugin | Broken Access Control (BAC) |
| WP 2FA with Telegram | Authentication Bypass (BAC) |
| WP 2FA with Telegram | Two-Factor Authentication Bypass (BAC) |
| WP Adminify | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WP Blocks Hub | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WP Booking System | Broken Access Control (BAC) |
| WP Cleanup and Basic Functions | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WPC Shop as a Customer for WooCommerce | PHP Object Injection (BAC) |
| WPC Smart Messages for WooCommerce | Missing Authorization (BAC) to Message Activation and Deactivation |
| wpDiscuz | Authentication Bypass (BAC) |
| WP donimedia carousel | Arbitrary File Upload (BAC) |
| WP Dropbox Dropins | Arbitrary File Upload (BAC) |
| WP Hotel Booking | Arbitrary File Upload (BAC) |
| WP Popup Builder | Unauthenticated Arbitrary Shortcode Execution (BAC) |
| WP REST API FNS | Account Takeover (BAC) |
| WP REST API FNS | Arbitrary File Upload (BAC) |
| WP RSS Aggregator | Missing Authorization (BAC) |
| WPSchoolPress | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| Wp Social | Authentication Bypass (BAC) |
| WPS Telegram Chat | Missing Authorization (BAC) to Private Information Exposure |
| WP ULike | Cross-Site Request Forgery to Statistic Deletion (BAC) |
| WP Users Masquerade | Authentication Bypass (BAC) |
| WP VR | Broken Access Control (BAC) |
| WP VR | Broken Access Control (BAC) |
| Wux Blog Editor | Authentication Bypass (BAC) to Administrator |
| Wux Blog Editor | Unauthenticated Arbitrary File Upload (BAC) |
| Youzify | Missing Authorization (BAC) to Arbitrary Attachment Deletion (BAC) |
| Zita Elementor Site Library | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
| WordPress BAC & WP Broken Access Control reported in 2024: | 1600 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.