During a recent routine internal code audit, we discovered a security vulnerability in our iThemes Sync plugin. The vulnerability could allow a significant breach to your WordPress site, so we are asking all customers to confirm your sites are running the iThemes Sync plugin version 2.0.18.
At this time, we believe no one has exploited this vulnerability. We have already taken a number of precautions after the vulnerability was discovered, and have provided a patch in the latest version of the plugin to ensure exposure of the vulnerability will be limited. We are also working closely with the WordPress.org team to ensure no sites continue to run the vulnerable version of the iThemes Sync plugin.
Your trust as our community and customers is of utmost importance to us, and we aim to be as honest and transparent as we can about the issue. In our effort to be as transparent as possible with this we are providing all of the details we currently know.
What information could attackers get access to?
The exploit allows unauthenticated users the ability to add their own “secure key” to a site with the sync plugin. An attacker could have access to the following:
- Add/Remove plugins or themes on your sites.
- Manipulate content on your sites.
- Add/Change/Remove users on your sites.
What does the patch do?
The patch fixes this vulnerability by validating the “secure key” with the Sync API before allowing it to be added.
What should you do?
What steps have we taken?
We have forced updates through WordPress.org, the Sync dashboard and Liquid Web’s Managed WordPress/WooCommerce platform. Every site at this point should be on version 2.0.18.
While we hope this precaution will cover 100% of sites currently running the vulnerable version of the plugin, there is a chance that your sites could still be running an outdated version of Sync. So we’re asking that you login to each of your sites with Sync installed and make sure you are running version 2.0.18.
Thank you for your attention to this important security notice. We sincerely apologize for any inconvenience this update may have caused you.
As always, thank you for your understanding and continued support.
Does this mean the Sync dashboard is not secure?
The iThemes Sync website dashboard is secure and undergoes routine security checks as part of our effort to continue to maintain a high-level of security. At this time, there are no causes of concern that the Sync dashboard has any security issues.
Does this affect sites where Sync plugin is installed, but not activated?
No. The vulnerability in Sync affects all sites that have the Sync plugin activated. But if you are worried that a site might not have the patch, please log in to your site and check your plugins. The Sync plugin should be on version 2.0.18. If you do not have this version, please update Sync immediately.
What happens if I don’t update Sync?
If you do not update Sync, you will remain on an insecure version of the plugin. It is extremely imperative that you update your Sync plugin version to 2.0.18.
I have a question. Where can I get help?
If you have questions or need help, our support team is standing by. Visit the iThemes Help Desk.