WP BAC SEP 2024

WP BAC SEP 2024: Brutal 176 WP Broken Access Control

Sponsored by:

Discover privately managed analytics: Self-Hosted GA alternatives, that protect your data and your customers' privacy, without leaking logs.

Be informed about the latest WP Broken Access Control, identified and reported publicly. WP BAC SEP 2024 is a +2% INCREASE compared to previous month. Consider for your online safety, a managed security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.

Contact your online project manager:

Order managed services

Fast forward 2-3 years: your business is on autopilot, yet you are in control. Your 3rd party integrations still work, your partners and your customers are happy.

There hasn’t been a crisis or “online emergency” in ages, and all your reports are OK and green. Whimsical? The future is already here. Step into your future today.

WP BAC SEP 2024

As these non-enforced access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the WP Broken Access Control category:

AcyMailing SMTP Newsletter File Upload (BAC) via acym_extractArchive Function
AdRotate Double Extension File Upload (BAC)
Advanced Cron Manager – debug & control Broken Access Control (BAC)
affiliate-toolkit Unauthenticated Full Path Dislcosure (BAC)
Amelia Unauthenticated Full Path Disclosure (BAC)
AMP for WP Broken Access Control (BAC)
ARMember Cross-Site Scripting (XSS) via SVG File Upload (BAC)
Aruba HiSpeed Cache Broken Access Control (BAC)
Asset CleanUp: Page Speed Booster Broken Access Control (BAC)
Atarim Broken Access Control (BAC)
Atarim Missing Authorization (BAC) to Settings Update (BAC)
Backup and Restore WordPress Broken Access Control (BAC)
Backup and Restore WordPress Unauthenticated Broken Access Control (BAC)
BerqWP Unauthenticated File Upload (BAC)
Bit Form – Contact Form Plugin 2.0 File Deletion (BAC)
Bit Form – Contact Form Plugin 2.0 File Read (BAC) And Deletion (BAC)
Bit Form – Contact Form Plugin 2.0 JavaScript File Upload (BAC)s
Bit Form Pro File Upload (BAC)
Bit Form Pro Plugin Settings Change (BAC)
Bit Form Pro Unauthenticated File Deletion (BAC)
Bitly Broken Access Control (BAC)
Blockbooster Theme Broken Access Control (BAC)
Blog2Social Cross-Site Scripting (XSS) via File Upload (BAC)
Blog Introduction Settings Update (BAC) via Cross-Site Request Forgery (CSRF)
Blogpoet Theme Broken Access Control (BAC)
Blox Page Builder File Upload (BAC)
BookingPress Authentication Bypass to Account Takeover (BAC)
Breakdance Missing Authorization (BAC)
Clearfy Cache Broken Access Control (BAC)
Clone Broken Access Control (BAC)
Contest Gallery Unauthenticated Comment UserID And IP address Disclosure (BAC)
CRM Perks Forms File Upload (BAC)
Depicter Slider File Upload (BAC)
Docket (WooCommerce Collections / Wishlist / Watchlist) Unauthenticated Post/Page Deletion (BAC)
Droip Settings Change (BAC)/Private Data Exposure
Droip Unauthenticated File Download/Deletion (BAC)
Easy Digital Downloads Broken Access Control (BAC)
Ebook Store Unauthenticated Full Path Disclosure (BAC)
Element Pack Elementor Addons File Read (BAC)
Enhanced Search Box Settings Update (BAC) via Cross-Site Request Forgery (CSRF)
Envira Photo Gallery Broken Access Control (BAC)
Event Espresso 4 Decaf Missing Authorization (BAC) to Plugin Settings Modification (BAC)
EventPrime Broken Access Control (BAC)
Falang multilanguage Missing Authorization (BAC) to Translation Update (BAC) and Private Information Exposure
Favicon Generator Cross-Site Request Forgery (CSRF) to File Deletion (BAC)
Favicon Generator File Upload (BAC) via Cross-Site Request Forgery (CSRF)
File Manager Pro Plugin Settings Update (BAC)
File Manager Pro File Upload (BAC)
Filter & Grids Broken Authentication (BAC)
Flash & HTML5 Video Broken Access Control (BAC)
Folders Cross-Site Scripting (XSS) via SVG File Upload (BAC)
Fonts Broken Access Control (BAC)
FormCraft Broken Access Control (BAC)
Fota WP Theme Broken Access Control (BAC)
Funnelforms Free File Deletion (BAC)
Funnelforms Free File Upload (BAC)
Funnelforms Free Missing Authorization (BAC) to Unauthenticated Media Upload (BAC) and Deletion (BAC)
Fuse Social Floating Sidebar Cross-Site Scripting (XSS) via File Upload (BAC)
GeoDirectory Broken Access Control (BAC)
GetPaid Broken Access Control (BAC)
GiveWP Missing Authorization (BAC) to Private Information Exposure
GiveWP Missing Authorization (BAC) to Unauthenticated Event Settings Update (BAC)
GiveWP Missing Authorization (BAC) to File Deletion (BAC)
GiveWP Unauthenticated Full Path Disclosure (BAC)
Hello Agency Theme Broken Access Control (BAC)
HelloAsso Broken Access Control (BAC)
Hummingbird Broken Access Control (BAC)
HUSKY Privilege Escalation (BAC)
Icegram Collect – Easy Form, Lead Collection and Subscription plugin Broken Access Control (BAC)
ILC Thickbox Settings Update (BAC) via Cross-Site Request Forgery (CSRF)
ImageRecycle pdf & image compression Missing Authorization (BAC) in Several AJAX Actions
infolinks Ad Wrap Cross-Site Request Forgery (CSRF) to Settings Update (BAC)
InPost for WooCommerce Unauthenticated File Read (BAC)/Delete (BAC)
InPost PL Unauthenticated File Read (BAC)/Delete (BAC)
JetFormBuilder Privilege Escalation (BAC)
JobSearch Unauthenticated Account Takeover (BAC)
JobSearch Broken Access Control (BAC)
JobSearch Broken Access Control (BAC)
JoomSport Broken Access Control (BAC)
JS Help Desk – Best Help Desk & Support Plugin Broken Access Control (BAC)
Leopard - WordPress offload media Plugin Settings Change (BAC)
Linkify Text Unauthenticated Full Path Disclosure (BAC)
LiteSpeed Cache Unauthenticated Privilege Escalation (BAC)
Login As Users Broken Authentication (BAC)
Login As Users Broken Access Control (BAC) to Account Takeover (BAC)
Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid Cross-Site Scripting (XSS) via SVG File Upload (BAC)
LWS Affiliation Broken Access Control (BAC)
MainWP Child Reports Cross-Site Request Forgery (CSRF) to Options Update (BAC)
Masteriyo - LMS Broken Access Control (BAC)
Masteriyo - LMS Broken Access Control (BAC)
MaxButtons Full Path Disclosure (BAC)
Media Library Assistant File Upload (BAC) via mla-inline-edit-Upload (BAC)-scripts AJAX Action
Media Library Folders Missing Authorization (BAC) on Various Functions
Memberpress Broken Access Control (BAC)
Meta Box – WordPress Custom Fields Framework Broken Access Control (BAC)
Metform Elementor Contact Form Builder Unauthenticated Double-Extension File Upload (BAC)
Misiek Photo Album Album Deletion (BAC) via Cross-Site Request Forgery (CSRF)
Mollie Payments for WooCommerce Unauthenticated Full Path Disclosure (BAC)
MP3 Audio Player for Music, Radio & Podcast by Sonaar Missing Authorization (BAC) to File Deletion (BAC)
MStore API Authentication Bypass to Account Takeover (BAC)
My Custom CSS PHP & ADS Unauthenticated Full Path Disclosure (BAC)
Newsletters Unauthenticated Full Path Disclosure (BAC)
Newspack Broken Access Control (BAC)
Ninja Tables Cross-Site Scripting (XSS) via SVG File Upload (BAC)
No Update Nag Unauthenticated Full Path Disclosure (BAC)
Obfuscate Email Unauthenticated Full Path Disclosure (BAC)
oik File Deletion (BAC)
Opal Membership Information Disclosure (BAC)
Orbit Fox by ThemeIsle Cross-Site Scripting (XSS) via SVG File Upload (BAC)
Orchid Store Theme Missing Authorization (BAC) to Plugin Activation (BAC)
Order Tracking Broken Access Control (BAC)
Oxygen Builder Missing Authorization (BAC) to Stylesheet Update (BAC)
PDF Builder for WPForms Unauthenticated Full Path Disclosure (BAC)
Permalink Manager Lite Missing Authorization (BAC) to Unauthenticated Private Information Exposure
Persian WooCommerce Broken Access Control (BAC)
Photo Engine Broken Access Control (BAC)
Plugin Notes Plus Content Deletion (BAC)
Premium Addons for Elementor Missing Authorization (BAC) to Content Deletion (BAC) and Title Update (BAC)
Presto Player Broken Access Control (BAC)
Print Barcode Labels for your WooCommerce products/orders Broken Access Control (BAC)
Recipe Card Blocks for Gutenberg & Elementor Broken Access Control (BAC)
Registrations for the Events Calendar Broken Access Control (BAC)
Responsive Lightbox Cross-Site Scripting (XSS) via File Upload (BAC)
Responsive Lightbox Broken Access Control (BAC)
Reveal Template Unauthenticated Full Path Disclosure (BAC)
Reviews Feed Missing Authorization (BAC) to Settings Update (BAC)
ReviewX Broken Access Control (BAC)
ReviveNews Theme Broken Access Control (BAC)
Robin image optimizer Broken Access Control (BAC)
Send Emails with Mandrill Broken Access Control (BAC)
Sign-up Sheets Broken Access Control (BAC)
Sirv Missing Authorization (BAC) to File Upload (BAC)
Slider by Soliloquy Broken Access Control (BAC) to Cross-Site Scripting (XSS)
Smart Online Order for Clover Broken Access Control (BAC)
Smart Online Order for Clover Missing Authorization (BAC) to Plugin Deactivation and Data Deletion (BAC)
Social Slider Feed Broken Access Control (BAC)
Sunshine Photo Cart Broken Access Control (BAC)
Superfly Menu Cross-Site Request Forgery (CSRF) to File Deletion (BAC)
Sync Post With Other Site Missing Authorization (BAC) to Post Creation and Update (BAC)
TemplateSpare Missing Authorization (BAC) to Theme Update (BAC)
Theme My Login Cross-Site Request Forgery (CSRF) to Settings Update (BAC)
Themify Builder Missing Authorization (BAC) to Post Duplication
The Plus Addons for Elementor Page Builder Lite Broken Access Control (BAC)
The Post Grid Information Disclosure (BAC)
Timetics Broken Access Control (BAC)
TrueBooker Settings Update (BAC) via Cross-Site Request Forgery (CSRF)
Tutor LMS Broken Access Control (BAC)
Tutor LMS Pro Missing Authorization (BAC) to Insecure Direct Object Reference
TypeSquare Webfonts Broken Access Control (BAC)
Ultimate Membership Pro Unauthenticated Privilege Escalation (BAC)
UsersWP Users Information Disclosure (BAC)
UsersWP Broken Access Control (BAC)
Visual Sound (old) Settings Update (BAC) via Cross-Site Request Forgery (CSRF)
Waitlist Woocommerce ( Back in stock notifier ) Broken Access Control (BAC)
WHMpress Settings Change (BAC)
Woffice Theme Unauthenticated Privilege Escalation (BAC)
WooCommerce Google Feed Manager Missing Authorization (BAC) to Feed Actions
WooCommerce Google Feed Manager Missing Authorization (BAC) to File Deletion (BAC)
WooCommerce PDF Vouchers Unauthenticated File Deletion (BAC)
WooCommerce Social Login Authentication Bypass to Account Takeover (BAC)
WOOCS – WooCommerce Currency Switcher Broken Access Control (BAC)
WordPress File Upload Broken Access Control (BAC)
WordPress File Upload Unauthenticated Cross-Site Scripting (XSS) via SVG File Upload (BAC)
WP Accessibility Helper (WAH) Missing Authorization (BAC) to Settings Update (BAC)
WPC Frequently Bought Together for WooCommerce Broken Access Control (BAC)
WP Crowdfunding Settings Change (BAC)
WP Fundraising Donation and Crowdfunding Platform Privilege Escalation (BAC)
WP Search Analytics Broken Access Control (BAC)
WP SMS Broken Access Control (BAC)
WP Social Feed Gallery Broken Access Control (BAC)
WP Testimonial Widget Missing Authorization (BAC)
WpTravelly Broken Access Control (BAC)
YARPP Broken Access Control (BAC)
YayExtra Unauthenticated File Upload (BAC) via handle_Upload (BAC)_file Function
Z Y N I T H Unauthenticated Option Deletion (BAC)
Z Y N I T H Unauthenticated Plugin Settings Change (BAC)
WordPress BAC & WP Broken Access Control reported in 2023: 931
WordPress BAC & WP Broken Access Control reported in 2024: 1239
Contact immediately:

Get managed security

Fast forward 2-3 years: your business is on autopilot, yet you are in control. Your website is humming along, leads & customers are rolling in.

There hasn’t been a crisis or “website emergency” in ages, and all your charts are pointing up and to the right. Whimsical? The future is already here. Step into your future today.

Table Of Contents

A cup of coffee makes a difference ...

How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of a premium cup of coffee per week, for your first managed service.
Start simply by contacting us with your selections:

ultrai.ae managed online © 2023 - 2024 – All rights reserved
We’re on an empowering mission for customers, who desire not to be transformed forcefully into IT experts.
ultrai.ae

Sign up for our newsletter

We send just one email a month with technical updates.
Topics include: XSS, CSRF, SSRF, SQLi, BAC.

We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.