🔬 Conversion Rate Optimisation for your 🌐 WordPress & 🛒 WooCommerce: skyrocket sales with modern proven methods! The purpose of recurrent CRO services is to constantly improve the likelihood of visitors taking your desired action on your domain.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC OCT 2024 is a -45% DECREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
| ForumWP | Account Takeover (BAC) |
| Easy Property Listings | Arbitrary Contact Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| Contact Form 7 Campaign Monitor Extension | Arbitrary File Deletion (BAC) |
| Advanced File Manager | Arbitrary File Upload (BAC) |
| Bit File Manager | Arbitrary File Upload (BAC) |
| Bit Form – Contact Form Plugin | Arbitrary File Upload (BAC) |
| MStore API | Arbitrary File Upload (BAC) |
| Customizer Export/Import | Arbitrary File Upload (BAC) from Customization Settings Import |
| The Ultimate WordPress Toolkit – WP Extended | Arbitrary Options Update (BAC) |
| WooCommerce Photo Reviews - Review Reminders - Review for Discounts | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| Login with phone number | Authorization Bypass (BAC) to Privilege Escalation (BAC) |
| Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads | Broken Access Control (BAC) |
| Depicter Slider | Broken Access Control (BAC) |
| Elementor Addon Elements | Broken Access Control (BAC) |
| JoomSport | Broken Access Control (BAC) |
| Joy Of Text Lite | Broken Access Control (BAC) |
| Popup Maker | Broken Access Control (BAC) |
| PWA for WP & AMP | Broken Access Control (BAC) |
| Sunshine Photo Cart | Broken Access Control (BAC) |
| Templately | Broken Access Control (BAC) |
| Truepush | Broken Access Control (BAC) |
| Wheel of Life | Broken Access Control (BAC) |
| WooCommerce Multilingual & Multicurrency | Broken Access Control (BAC) |
| WP Datepicker | Broken Access Control (BAC) |
| WP Free SSL – Free SSL Certificate for WordPress and force HTTPS | Broken Access Control (BAC) |
| Fluent Support | Broken Access Control (BAC) on Email Verification |
| Stream | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
| Easy PayPal Events | Cross-Site Request Forgery (CSRF) to Arbitrary Post Deletion (BAC) |
| BA Book Everything | Cross-Site Request Forgery (CSRF) to Email Address Update (BAC) /Account Takeover (BAC) |
| AnWP Football Leagues | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Common Tools for Site | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| GF Custom Style | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Graphicsly | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| GutenGeek Free Gutenberg Blocks for WordPress | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| king_IE | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Mapplic Lite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| OneElements – Best Elementor Addons | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Preloader Plus - Wordpress Loading Screen Plugin | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| Advanced File Manager | File Upload (BAC) |
| AZIndex | Index Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
| WCFM – Frontend Manager for WooCommerce | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) /Privilege Escalation (BAC) |
| Charitable | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) and Privilege Escalation (BAC) |
| WP-Recall | Insecure Direct Object Reference (IDOR) to Unauthenticated Arbitrary Password Update (BAC) |
| IP Vault – WP Firewall | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| Limit Login Attempts Plus | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| SAF | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| Web Application Firewall – website security | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
| Maintenance Redirect | IP Bypass (BAC) |
| WP Cerber Security | IP Protection Bypass (BAC) |
| Classified Listing | Missing Authorization (BAC) |
| EU/UK VAT Manager for WooCommerce | Missing Authorization (BAC) |
| EU/UK VAT Manager for WooCommerce | Missing Authorization (BAC) |
| Form Vibes – Database Manager for Forms | Missing Authorization (BAC) in Multiple Functions |
| Flash & HTML5 Video | Missing Authorization (BAC) in multiple functions from hvp_ajax_handler |
| The Ultimate WordPress Toolkit – WP Extended | Missing Authorization (BAC) to Admin Username Change |
| Revision Manager TMC | Missing Authorization (BAC) to Arbitrary Email Sending |
| Webba Booking | Missing Authorization (BAC) to CSS Settings Update (BAC) |
| WP Easy Gallery | Missing Authorization (BAC) to Gallery Manipulation |
| FluentForm | Missing Authorization (BAC) to Mailchimp Integration Modification |
| Flash & HTML5 Video | Missing Authorization (BAC) to Options Update (BAC) |
| Amelia | Missing Authorization (BAC) to Private Information Exposure |
| Email Subscribers & Newsletters | Missing Authorization (BAC) to Private Information Exposure |
| Sight | Missing Authorization (BAC) to Private Information Exposure in handler_post_title |
| Frontend Post Submission Manager Lite | Missing Authorization (BAC) to Settings Update (BAC) |
| Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins | Missing Authorization (BAC) to Settings Update (BAC) |
| ThemeHunk | Missing Authorization (BAC) to Settings Update (BAC) s |
| Download Monitor | Missing Authorization (BAC) to Shop Enable |
| myCred | Missing Authorization (BAC) to Unauthenticated Database Upgrade |
| Revolut Gateway for WooCommerce | Missing Authorization (BAC) to Unauthenticated Order Status Update (BAC) |
| EventPrime | Missing Authorization (BAC) to Unauthenticated Password-Protected-Events Private Disclosure |
| EventPrime | Missing Authorization (BAC) to Unauthenticated Private-Events Private Disclosure |
| Uncanny Groups for LearnDash | Missing Authorization (BAC) to User Group Add |
| WC Marketplace | Missing Authorization (BAC) to Vendor Privilege Escalation (BAC) /Account Takeover (BAC) |
| Geo Controller | Multiple Missing Authorization (BAC) |
| BuddyForms | Privilege Escalation (BAC) |
| ForumWP | Privilege Escalation (BAC) |
| Houzez Login Register | Privilege Escalation (BAC) |
| Houzez Theme | Privilege Escalation (BAC) |
| Newsletters | Privilege Escalation (BAC) |
| Post Grid and Gutenberg Blocks | Privilege Escalation (BAC) |
| Uncanny Groups for LearnDash | Privilege Escalation (BAC) |
| adstxt | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| DN Popup | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Posts reminder | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| Visual Sound | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
| LiteSpeed Cache | Unauthenticated Account Takeover (BAC) from Cookie Leak |
| WooEvents | Unauthenticated Arbitrary File Overwrite (BAC) |
| JupiterX Core | Unauthenticated Arbitrary File Upload (BAC) |
| REST API TO MiniProgram | Unauthenticated Arbitrary User Email Update (BAC) and Privilege Escalation (BAC) from Account Takeover (BAC) |
| JupiterX Core | Unauthenticated Authentication Bypass (BAC) to Account Takeover (BAC) |
| Ninja Forms File Upload Extension | Unauthenticated Cross-Site Scripting (XSS) from File Upload (BAC) |
| WP Job Portal | Unauthenticated Local File Inclusion (LFi) , Arbitrary Settings Update (BAC) , and User Creation (BAC) |
| PixelYourSite PRO | Unauthenticated Private Information Exposure and Log Deletion (BAC) |
| PixelYourSite – Your smart PIXEL (TAG) Manager | Unauthenticated Private Information Exposure and Log Deletion (BAC) |
| Webo-facto | Unauthenticated Privilege Escalation (BAC) |
| WPCOM Member | Unauthenticated Privilege Escalation (BAC) from User Meta |
| WP Hardening | Unauthenticated Security Feature Bypass (BAC) to Username Enumeration |
| WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
| WordPress BAC & WP Broken Access Control reported in 2024: | 1336 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.