WP BAC OCT 2024

WP BAC OCT 2024: Brutal 97 WP Broken Access Control

Sponsored by:

Discover managed ACQUISITION metrics for WordPress, WooCommerce, Shopify, SaaS. Managed for you on your domain, inside your hosting account, in your country. With a good managed monitoring strategy in place, you'll gain greater transparency & visibility into your operations with a timely alerting system.

Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC OCT 2024 is a -45% DECREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.

Contact your online project manager:

Order managed services

Fast forward 2-3 years: your business is on autopilot, yet you are in control. Your 3rd party integrations still work, your partners and your customers are happy.

There hasn’t been a crisis or “online emergency” in ages, and all your reports are OK and green. Whimsical? The future is already here. Step into your future today.

WP BAC OCT 2024

As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:

ForumWP Account Takeover (BAC)
Easy Property Listings Arbitrary Contact Deletion (BAC) from Cross-Site Request Forgery (CSRF)
Contact Form 7 Campaign Monitor Extension Arbitrary File Deletion (BAC)
Advanced File Manager Arbitrary File Upload (BAC)
Bit File Manager Arbitrary File Upload (BAC)
Bit Form – Contact Form Plugin Arbitrary File Upload (BAC)
MStore API Arbitrary File Upload (BAC)
Customizer Export/Import Arbitrary File Upload (BAC) from Customization Settings Import
The Ultimate WordPress Toolkit – WP Extended Arbitrary Options Update (BAC)
WooCommerce Photo Reviews - Review Reminders - Review for Discounts Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC)
Login with phone number Authorization Bypass (BAC) to Privilege Escalation (BAC)
Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads Broken Access Control (BAC)
Depicter Slider Broken Access Control (BAC)
Elementor Addon Elements Broken Access Control (BAC)
JoomSport Broken Access Control (BAC)
Joy Of Text Lite Broken Access Control (BAC)
Popup Maker Broken Access Control (BAC)
PWA for WP & AMP Broken Access Control (BAC)
Sunshine Photo Cart Broken Access Control (BAC)
Templately Broken Access Control (BAC)
Truepush Broken Access Control (BAC)
Wheel of Life Broken Access Control (BAC)
WooCommerce Multilingual & Multicurrency Broken Access Control (BAC)
WP Datepicker Broken Access Control (BAC)
WP Free SSL – Free SSL Certificate for WordPress and force HTTPS Broken Access Control (BAC)
Fluent Support Broken Access Control (BAC) on Email Verification
Stream Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC)
Easy PayPal Events Cross-Site Request Forgery (CSRF) to Arbitrary Post Deletion (BAC)
BA Book Everything Cross-Site Request Forgery (CSRF) to Email Address Update (BAC) /Account Takeover (BAC)
AnWP Football Leagues Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Common Tools for Site Cross-Site Scripting (XSS) from SVG File Upload (BAC)
GF Custom Style Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Graphicsly Cross-Site Scripting (XSS) from SVG File Upload (BAC)
GutenGeek Free Gutenberg Blocks for WordPress Cross-Site Scripting (XSS) from SVG File Upload (BAC)
king_IE Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Mapplic Lite Cross-Site Scripting (XSS) from SVG File Upload (BAC)
OneElements – Best Elementor Addons Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Preloader Plus - Wordpress Loading Screen Plugin Cross-Site Scripting (XSS) from SVG File Upload (BAC)
Advanced File Manager File Upload (BAC)
AZIndex Index Deletion (BAC) from Cross-Site Request Forgery (CSRF)
WCFM – Frontend Manager for WooCommerce Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) /Privilege Escalation (BAC)
Charitable Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) and Privilege Escalation (BAC)
WP-Recall Insecure Direct Object Reference (IDOR) to Unauthenticated Arbitrary Password Update (BAC)
IP Vault – WP Firewall IP Address Spoofing to Protection Mechanism Bypass (BAC)
Limit Login Attempts Plus IP Address Spoofing to Protection Mechanism Bypass (BAC)
SAF IP Address Spoofing to Protection Mechanism Bypass (BAC)
Web Application Firewall – website security IP Address Spoofing to Protection Mechanism Bypass (BAC)
Maintenance Redirect IP Bypass (BAC)
WP Cerber Security IP Protection Bypass (BAC)
Classified Listing Missing Authorization (BAC)
EU/UK VAT Manager for WooCommerce Missing Authorization (BAC)
EU/UK VAT Manager for WooCommerce Missing Authorization (BAC)
Form Vibes – Database Manager for Forms Missing Authorization (BAC) in Multiple Functions
Flash & HTML5 Video Missing Authorization (BAC) in multiple functions from hvp_ajax_handler
The Ultimate WordPress Toolkit – WP Extended Missing Authorization (BAC) to Admin Username Change
Revision Manager TMC Missing Authorization (BAC) to Arbitrary Email Sending
Webba Booking Missing Authorization (BAC) to CSS Settings Update (BAC)
WP Easy Gallery Missing Authorization (BAC) to Gallery Manipulation
FluentForm Missing Authorization (BAC) to Mailchimp Integration Modification
Flash & HTML5 Video Missing Authorization (BAC) to Options Update (BAC)
Amelia Missing Authorization (BAC) to Private Information Exposure
Email Subscribers & Newsletters Missing Authorization (BAC) to Private Information Exposure
Sight Missing Authorization (BAC) to Private Information Exposure in handler_post_title
Frontend Post Submission Manager Lite Missing Authorization (BAC) to Settings Update (BAC)
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins Missing Authorization (BAC) to Settings Update (BAC)
ThemeHunk Missing Authorization (BAC) to Settings Update (BAC) s
Download Monitor Missing Authorization (BAC) to Shop Enable
myCred Missing Authorization (BAC) to Unauthenticated Database Upgrade
Revolut Gateway for WooCommerce Missing Authorization (BAC) to Unauthenticated Order Status Update (BAC)
EventPrime Missing Authorization (BAC) to Unauthenticated Password-Protected-Events Private Disclosure
EventPrime Missing Authorization (BAC) to Unauthenticated Private-Events Private Disclosure
Uncanny Groups for LearnDash Missing Authorization (BAC) to User Group Add
WC Marketplace Missing Authorization (BAC) to Vendor Privilege Escalation (BAC) /Account Takeover (BAC)
Geo Controller Multiple Missing Authorization (BAC)
BuddyForms Privilege Escalation (BAC)
ForumWP Privilege Escalation (BAC)
Houzez Login Register Privilege Escalation (BAC)
Houzez Theme Privilege Escalation (BAC)
Newsletters Privilege Escalation (BAC)
Post Grid and Gutenberg Blocks Privilege Escalation (BAC)
Uncanny Groups for LearnDash Privilege Escalation (BAC)
adstxt Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
DN Popup Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
Posts reminder Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
Visual Sound Settings Update (BAC) from Cross-Site Request Forgery (CSRF)
LiteSpeed Cache Unauthenticated Account Takeover (BAC) from Cookie Leak
WooEvents Unauthenticated Arbitrary File Overwrite (BAC)
JupiterX Core Unauthenticated Arbitrary File Upload (BAC)
REST API TO MiniProgram Unauthenticated Arbitrary User Email Update (BAC) and Privilege Escalation (BAC) from Account Takeover (BAC)
JupiterX Core Unauthenticated Authentication Bypass (BAC) to Account Takeover (BAC)
Ninja Forms File Upload Extension Unauthenticated Cross-Site Scripting (XSS) from File Upload (BAC)
WP Job Portal Unauthenticated Local File Inclusion (LFi) , Arbitrary Settings Update (BAC) , and User Creation (BAC)
PixelYourSite PRO Unauthenticated Private Information Exposure and Log Deletion (BAC)
PixelYourSite – Your smart PIXEL (TAG) Manager Unauthenticated Private Information Exposure and Log Deletion (BAC)
Webo-facto Unauthenticated Privilege Escalation (BAC)
WPCOM Member Unauthenticated Privilege Escalation (BAC) from User Meta
WP Hardening Unauthenticated Security Feature Bypass (BAC) to Username Enumeration
WordPress BAC & WP Broken Access Control reported in 2023: 931
WordPress BAC & WP Broken Access Control reported in 2024: 1336
Contact your online project manager:

Get managed security

Fast forward 2-3 years: your business is on autopilot, yet you are in control. Your website is humming along, leads & customers are rolling in.

There hasn’t been a crisis or “website emergency” in ages, and all your charts are pointing up and to the right. Whimsical? The future is already here. Step into your future today.

Table Of Contents


A cup of coffee makes a difference ...

How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:

ultrai.ae managed online © 2023 - 2024 – All rights reserved
We’re on an empowering mission for customers, who desire not to be transformed forcefully into IT experts.
ultrai.ae

Sign up for our newsletter

We send just one email a month with technical updates.
Topics include: XSS, CSRF, SSRF, SQLi, BAC.

We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.