Discover privately managed analytics: Self-Hosted GA alternatives, that protect your data and your customers' privacy, without leaking logs.
Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC SEP 2024 is a +2% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:
AcyMailing SMTP Newsletter | File Upload (BAC) via acym_extractArchive Function |
AdRotate | Double Extension File Upload (BAC) |
Advanced Cron Manager – debug & control | Broken Access Control (BAC) |
affiliate-toolkit | Unauthenticated Full Path Dislcosure (BAC) |
Amelia | Unauthenticated Full Path Disclosure (BAC) |
AMP for WP | Broken Access Control (BAC) |
ARMember | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Aruba HiSpeed Cache | Broken Access Control (BAC) |
Asset CleanUp: Page Speed Booster | Broken Access Control (BAC) |
Atarim | Broken Access Control (BAC) |
Atarim | Missing Authorization (BAC) to Settings Update (BAC) |
Backup and Restore WordPress | Broken Access Control (BAC) |
Backup and Restore WordPress | Unauthenticated Broken Access Control (BAC) |
BerqWP | Unauthenticated File Upload (BAC) |
Bit Form – Contact Form Plugin 2.0 | File Deletion (BAC) |
Bit Form – Contact Form Plugin 2.0 | File Read (BAC) And Deletion (BAC) |
Bit Form – Contact Form Plugin 2.0 | JavaScript File Upload (BAC)s |
Bit Form Pro | File Upload (BAC) |
Bit Form Pro | Plugin Settings Change (BAC) |
Bit Form Pro | Unauthenticated File Deletion (BAC) |
Bitly | Broken Access Control (BAC) |
Blockbooster Theme | Broken Access Control (BAC) |
Blog2Social | Cross-Site Scripting (XSS) via File Upload (BAC) |
Blog Introduction | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
Blogpoet Theme | Broken Access Control (BAC) |
Blox Page Builder | File Upload (BAC) |
BookingPress | Authentication Bypass to Account Takeover (BAC) |
Breakdance | Missing Authorization (BAC) |
Clearfy Cache | Broken Access Control (BAC) |
Clone | Broken Access Control (BAC) |
Contest Gallery | Unauthenticated Comment UserID And IP address Disclosure (BAC) |
CRM Perks Forms | File Upload (BAC) |
Depicter Slider | File Upload (BAC) |
Docket (WooCommerce Collections / Wishlist / Watchlist) | Unauthenticated Post/Page Deletion (BAC) |
Droip | Settings Change (BAC)/Private Data Exposure |
Droip | Unauthenticated File Download/Deletion (BAC) |
Easy Digital Downloads | Broken Access Control (BAC) |
Ebook Store | Unauthenticated Full Path Disclosure (BAC) |
Element Pack Elementor Addons | File Read (BAC) |
Enhanced Search Box | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
Envira Photo Gallery | Broken Access Control (BAC) |
Event Espresso 4 Decaf | Missing Authorization (BAC) to Plugin Settings Modification (BAC) |
EventPrime | Broken Access Control (BAC) |
Falang multilanguage | Missing Authorization (BAC) to Translation Update (BAC) and Private Information Exposure |
Favicon Generator | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
Favicon Generator | File Upload (BAC) via Cross-Site Request Forgery (CSRF) |
File Manager Pro | Plugin Settings Update (BAC) |
File Manager Pro | File Upload (BAC) |
Filter & Grids | Broken Authentication (BAC) |
Flash & HTML5 Video | Broken Access Control (BAC) |
Folders | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Fonts | Broken Access Control (BAC) |
FormCraft | Broken Access Control (BAC) |
Fota WP Theme | Broken Access Control (BAC) |
Funnelforms Free | File Deletion (BAC) |
Funnelforms Free | File Upload (BAC) |
Funnelforms Free | Missing Authorization (BAC) to Unauthenticated Media Upload (BAC) and Deletion (BAC) |
Fuse Social Floating Sidebar | Cross-Site Scripting (XSS) via File Upload (BAC) |
GeoDirectory | Broken Access Control (BAC) |
GetPaid | Broken Access Control (BAC) |
GiveWP | Missing Authorization (BAC) to Private Information Exposure |
GiveWP | Missing Authorization (BAC) to Unauthenticated Event Settings Update (BAC) |
GiveWP | Missing Authorization (BAC) to File Deletion (BAC) |
GiveWP | Unauthenticated Full Path Disclosure (BAC) |
Hello Agency Theme | Broken Access Control (BAC) |
HelloAsso | Broken Access Control (BAC) |
Hummingbird | Broken Access Control (BAC) |
HUSKY | Privilege Escalation (BAC) |
Icegram Collect – Easy Form, Lead Collection and Subscription plugin | Broken Access Control (BAC) |
ILC Thickbox | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
ImageRecycle pdf & image compression | Missing Authorization (BAC) in Several AJAX Actions |
infolinks Ad Wrap | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
InPost for WooCommerce | Unauthenticated File Read (BAC)/Delete (BAC) |
InPost PL | Unauthenticated File Read (BAC)/Delete (BAC) |
JetFormBuilder | Privilege Escalation (BAC) |
JobSearch | Unauthenticated Account Takeover (BAC) |
JobSearch | Broken Access Control (BAC) |
JobSearch | Broken Access Control (BAC) |
JoomSport | Broken Access Control (BAC) |
JS Help Desk – Best Help Desk & Support Plugin | Broken Access Control (BAC) |
Leopard - WordPress offload media | Plugin Settings Change (BAC) |
Linkify Text | Unauthenticated Full Path Disclosure (BAC) |
LiteSpeed Cache | Unauthenticated Privilege Escalation (BAC) |
Login As Users | Broken Authentication (BAC) |
Login As Users | Broken Access Control (BAC) to Account Takeover (BAC) |
Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
LWS Affiliation | Broken Access Control (BAC) |
MainWP Child Reports | Cross-Site Request Forgery (CSRF) to Options Update (BAC) |
Masteriyo - LMS | Broken Access Control (BAC) |
Masteriyo - LMS | Broken Access Control (BAC) |
MaxButtons | Full Path Disclosure (BAC) |
Media Library Assistant | File Upload (BAC) via mla-inline-edit-Upload (BAC)-scripts AJAX Action |
Media Library Folders | Missing Authorization (BAC) on Various Functions |
Memberpress | Broken Access Control (BAC) |
Meta Box – WordPress Custom Fields Framework | Broken Access Control (BAC) |
Metform Elementor Contact Form Builder | Unauthenticated Double-Extension File Upload (BAC) |
Misiek Photo Album | Album Deletion (BAC) via Cross-Site Request Forgery (CSRF) |
Mollie Payments for WooCommerce | Unauthenticated Full Path Disclosure (BAC) |
MP3 Audio Player for Music, Radio & Podcast by Sonaar | Missing Authorization (BAC) to File Deletion (BAC) |
MStore API | Authentication Bypass to Account Takeover (BAC) |
My Custom CSS PHP & ADS | Unauthenticated Full Path Disclosure (BAC) |
Newsletters | Unauthenticated Full Path Disclosure (BAC) |
Newspack | Broken Access Control (BAC) |
Ninja Tables | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
No Update Nag | Unauthenticated Full Path Disclosure (BAC) |
Obfuscate Email | Unauthenticated Full Path Disclosure (BAC) |
oik | File Deletion (BAC) |
Opal Membership | Information Disclosure (BAC) |
Orbit Fox by ThemeIsle | Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
Orchid Store Theme | Missing Authorization (BAC) to Plugin Activation (BAC) |
Order Tracking | Broken Access Control (BAC) |
Oxygen Builder | Missing Authorization (BAC) to Stylesheet Update (BAC) |
PDF Builder for WPForms | Unauthenticated Full Path Disclosure (BAC) |
Permalink Manager Lite | Missing Authorization (BAC) to Unauthenticated Private Information Exposure |
Persian WooCommerce | Broken Access Control (BAC) |
Photo Engine | Broken Access Control (BAC) |
Plugin Notes Plus | Content Deletion (BAC) |
Premium Addons for Elementor | Missing Authorization (BAC) to Content Deletion (BAC) and Title Update (BAC) |
Presto Player | Broken Access Control (BAC) |
Print Barcode Labels for your WooCommerce products/orders | Broken Access Control (BAC) |
Recipe Card Blocks for Gutenberg & Elementor | Broken Access Control (BAC) |
Registrations for the Events Calendar | Broken Access Control (BAC) |
Responsive Lightbox | Cross-Site Scripting (XSS) via File Upload (BAC) |
Responsive Lightbox | Broken Access Control (BAC) |
Reveal Template | Unauthenticated Full Path Disclosure (BAC) |
Reviews Feed | Missing Authorization (BAC) to Settings Update (BAC) |
ReviewX | Broken Access Control (BAC) |
ReviveNews Theme | Broken Access Control (BAC) |
Robin image optimizer | Broken Access Control (BAC) |
Send Emails with Mandrill | Broken Access Control (BAC) |
Sign-up Sheets | Broken Access Control (BAC) |
Sirv | Missing Authorization (BAC) to File Upload (BAC) |
Slider by Soliloquy | Broken Access Control (BAC) to Cross-Site Scripting (XSS) |
Smart Online Order for Clover | Broken Access Control (BAC) |
Smart Online Order for Clover | Missing Authorization (BAC) to Plugin Deactivation and Data Deletion (BAC) |
Social Slider Feed | Broken Access Control (BAC) |
Sunshine Photo Cart | Broken Access Control (BAC) |
Superfly Menu | Cross-Site Request Forgery (CSRF) to File Deletion (BAC) |
Sync Post With Other Site | Missing Authorization (BAC) to Post Creation and Update (BAC) |
TemplateSpare | Missing Authorization (BAC) to Theme Update (BAC) |
Theme My Login | Cross-Site Request Forgery (CSRF) to Settings Update (BAC) |
Themify Builder | Missing Authorization (BAC) to Post Duplication |
The Plus Addons for Elementor Page Builder Lite | Broken Access Control (BAC) |
The Post Grid | Information Disclosure (BAC) |
Timetics | Broken Access Control (BAC) |
TrueBooker | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
Tutor LMS | Broken Access Control (BAC) |
Tutor LMS Pro | Missing Authorization (BAC) to Insecure Direct Object Reference |
TypeSquare Webfonts | Broken Access Control (BAC) |
Ultimate Membership Pro | Unauthenticated Privilege Escalation (BAC) |
UsersWP | Users Information Disclosure (BAC) |
UsersWP | Broken Access Control (BAC) |
Visual Sound (old) | Settings Update (BAC) via Cross-Site Request Forgery (CSRF) |
Waitlist Woocommerce ( Back in stock notifier ) | Broken Access Control (BAC) |
WHMpress | Settings Change (BAC) |
Woffice Theme | Unauthenticated Privilege Escalation (BAC) |
WooCommerce Google Feed Manager | Missing Authorization (BAC) to Feed Actions |
WooCommerce Google Feed Manager | Missing Authorization (BAC) to File Deletion (BAC) |
WooCommerce PDF Vouchers | Unauthenticated File Deletion (BAC) |
WooCommerce Social Login | Authentication Bypass to Account Takeover (BAC) |
WOOCS – WooCommerce Currency Switcher | Broken Access Control (BAC) |
WordPress File Upload | Broken Access Control (BAC) |
WordPress File Upload | Unauthenticated Cross-Site Scripting (XSS) via SVG File Upload (BAC) |
WP Accessibility Helper (WAH) | Missing Authorization (BAC) to Settings Update (BAC) |
WPC Frequently Bought Together for WooCommerce | Broken Access Control (BAC) |
WP Crowdfunding | Settings Change (BAC) |
WP Fundraising Donation and Crowdfunding Platform | Privilege Escalation (BAC) |
WP Search Analytics | Broken Access Control (BAC) |
WP SMS | Broken Access Control (BAC) |
WP Social Feed Gallery | Broken Access Control (BAC) |
WP Testimonial Widget | Missing Authorization (BAC) |
WpTravelly | Broken Access Control (BAC) |
YARPP | Broken Access Control (BAC) |
YayExtra | Unauthenticated File Upload (BAC) via handle_Upload (BAC)_file Function |
Z Y N I T H | Unauthenticated Option Deletion (BAC) |
Z Y N I T H | Unauthenticated Plugin Settings Change (BAC) |
WordPress BAC & WP Broken Access Control reported in 2023: | 931 |
WordPress BAC & WP Broken Access Control reported in 2024: | 1239 |
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.