Discover managed ACQUISITION metrics for WordPress, WooCommerce, Shopify, SaaS. Managed for you on your domain, inside your hosting account, in your country. With a good managed monitoring strategy in place, you'll gain greater transparency & visibility into your operations with a timely alerting system.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC OCT 2024 is a -45% DECREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
ForumWP | Account Takeover (BAC) |
Easy Property Listings | Arbitrary Contact Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
Contact Form 7 Campaign Monitor Extension | Arbitrary File Deletion (BAC) |
Advanced File Manager | Arbitrary File Upload (BAC) |
Bit File Manager | Arbitrary File Upload (BAC) |
Bit Form – Contact Form Plugin | Arbitrary File Upload (BAC) |
MStore API | Arbitrary File Upload (BAC) |
Customizer Export/Import | Arbitrary File Upload (BAC) from Customization Settings Import |
The Ultimate WordPress Toolkit – WP Extended | Arbitrary Options Update (BAC) |
WooCommerce Photo Reviews - Review Reminders - Review for Discounts | Authentication Bypass (BAC) to Account Takeover (BAC) and Privilege Escalation (BAC) |
Login with phone number | Authorization Bypass (BAC) to Privilege Escalation (BAC) |
Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads | Broken Access Control (BAC) |
Depicter Slider | Broken Access Control (BAC) |
Elementor Addon Elements | Broken Access Control (BAC) |
JoomSport | Broken Access Control (BAC) |
Joy Of Text Lite | Broken Access Control (BAC) |
Popup Maker | Broken Access Control (BAC) |
PWA for WP & AMP | Broken Access Control (BAC) |
Sunshine Photo Cart | Broken Access Control (BAC) |
Templately | Broken Access Control (BAC) |
Truepush | Broken Access Control (BAC) |
Wheel of Life | Broken Access Control (BAC) |
WooCommerce Multilingual & Multicurrency | Broken Access Control (BAC) |
WP Datepicker | Broken Access Control (BAC) |
WP Free SSL – Free SSL Certificate for WordPress and force HTTPS | Broken Access Control (BAC) |
Fluent Support | Broken Access Control (BAC) on Email Verification |
Stream | Cross-Site Request Forgery (CSRF) to Arbitrary Options Update (BAC) |
Easy PayPal Events | Cross-Site Request Forgery (CSRF) to Arbitrary Post Deletion (BAC) |
BA Book Everything | Cross-Site Request Forgery (CSRF) to Email Address Update (BAC) /Account Takeover (BAC) |
AnWP Football Leagues | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Common Tools for Site | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
GF Custom Style | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Graphicsly | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
GutenGeek Free Gutenberg Blocks for WordPress | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
king_IE | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Mapplic Lite | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
OneElements – Best Elementor Addons | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Preloader Plus - Wordpress Loading Screen Plugin | Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
Advanced File Manager | File Upload (BAC) |
AZIndex | Index Deletion (BAC) from Cross-Site Request Forgery (CSRF) |
WCFM – Frontend Manager for WooCommerce | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) /Privilege Escalation (BAC) |
Charitable | Insecure Direct Object Reference (IDOR) to Account Takeover (BAC) and Privilege Escalation (BAC) |
WP-Recall | Insecure Direct Object Reference (IDOR) to Unauthenticated Arbitrary Password Update (BAC) |
IP Vault – WP Firewall | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
Limit Login Attempts Plus | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
SAF | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
Web Application Firewall – website security | IP Address Spoofing to Protection Mechanism Bypass (BAC) |
Maintenance Redirect | IP Bypass (BAC) |
WP Cerber Security | IP Protection Bypass (BAC) |
Classified Listing | Missing Authorization (BAC) |
EU/UK VAT Manager for WooCommerce | Missing Authorization (BAC) |
EU/UK VAT Manager for WooCommerce | Missing Authorization (BAC) |
Form Vibes – Database Manager for Forms | Missing Authorization (BAC) in Multiple Functions |
Flash & HTML5 Video | Missing Authorization (BAC) in multiple functions from hvp_ajax_handler |
The Ultimate WordPress Toolkit – WP Extended | Missing Authorization (BAC) to Admin Username Change |
Revision Manager TMC | Missing Authorization (BAC) to Arbitrary Email Sending |
Webba Booking | Missing Authorization (BAC) to CSS Settings Update (BAC) |
WP Easy Gallery | Missing Authorization (BAC) to Gallery Manipulation |
FluentForm | Missing Authorization (BAC) to Mailchimp Integration Modification |
Flash & HTML5 Video | Missing Authorization (BAC) to Options Update (BAC) |
Amelia | Missing Authorization (BAC) to Private Information Exposure |
Email Subscribers & Newsletters | Missing Authorization (BAC) to Private Information Exposure |
Sight | Missing Authorization (BAC) to Private Information Exposure in handler_post_title |
Frontend Post Submission Manager Lite | Missing Authorization (BAC) to Settings Update (BAC) |
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins | Missing Authorization (BAC) to Settings Update (BAC) |
ThemeHunk | Missing Authorization (BAC) to Settings Update (BAC) s |
Download Monitor | Missing Authorization (BAC) to Shop Enable |
myCred | Missing Authorization (BAC) to Unauthenticated Database Upgrade |
Revolut Gateway for WooCommerce | Missing Authorization (BAC) to Unauthenticated Order Status Update (BAC) |
EventPrime | Missing Authorization (BAC) to Unauthenticated Password-Protected-Events Private Disclosure |
EventPrime | Missing Authorization (BAC) to Unauthenticated Private-Events Private Disclosure |
Uncanny Groups for LearnDash | Missing Authorization (BAC) to User Group Add |
WC Marketplace | Missing Authorization (BAC) to Vendor Privilege Escalation (BAC) /Account Takeover (BAC) |
Geo Controller | Multiple Missing Authorization (BAC) |
BuddyForms | Privilege Escalation (BAC) |
ForumWP | Privilege Escalation (BAC) |
Houzez Login Register | Privilege Escalation (BAC) |
Houzez Theme | Privilege Escalation (BAC) |
Newsletters | Privilege Escalation (BAC) |
Post Grid and Gutenberg Blocks | Privilege Escalation (BAC) |
Uncanny Groups for LearnDash | Privilege Escalation (BAC) |
adstxt | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
DN Popup | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
Posts reminder | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
Visual Sound | Settings Update (BAC) from Cross-Site Request Forgery (CSRF) |
LiteSpeed Cache | Unauthenticated Account Takeover (BAC) from Cookie Leak |
WooEvents | Unauthenticated Arbitrary File Overwrite (BAC) |
JupiterX Core | Unauthenticated Arbitrary File Upload (BAC) |
REST API TO MiniProgram | Unauthenticated Arbitrary User Email Update (BAC) and Privilege Escalation (BAC) from Account Takeover (BAC) |
JupiterX Core | Unauthenticated Authentication Bypass (BAC) to Account Takeover (BAC) |
Ninja Forms File Upload Extension | Unauthenticated Cross-Site Scripting (XSS) from File Upload (BAC) |
WP Job Portal | Unauthenticated Local File Inclusion (LFi) , Arbitrary Settings Update (BAC) , and User Creation (BAC) |
PixelYourSite PRO | Unauthenticated Private Information Exposure and Log Deletion (BAC) |
PixelYourSite – Your smart PIXEL (TAG) Manager | Unauthenticated Private Information Exposure and Log Deletion (BAC) |
Webo-facto | Unauthenticated Privilege Escalation (BAC) |
WPCOM Member | Unauthenticated Privilege Escalation (BAC) from User Meta |
WP Hardening | Unauthenticated Security Feature Bypass (BAC) to Username Enumeration |
WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
WordPress BAC & WP Broken Access Control reported in 2024: | 1336 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.