Please Confirm You Are Running Version 2.0.18+ of the iThemes Sync Plugin
During a recent routine internal code audit, we discovered a security vulnerability in our iThemes Sync plugin. The vulnerability could allow a significant breach to your WordPress site, so we are asking all customers to confirm your sites are running the iThemes Sync plugin version 2.0.18.
At this time, we believe no one has exploited this vulnerability. We have already taken a number of precautions after the vulnerability was discovered, and have provided a patch in the latest version of the plugin to ensure exposure of the vulnerability will be limited. We are also working closely with the WordPress.org team to ensure no sites continue to run the vulnerable version of the iThemes Sync plugin.
Your trust as our community and customers is of utmost importance to us, and we aim to be as honest and transparent as we can about the issue. In our effort to be as transparent as possible with this we are providing all of the details we currently know.
What information could attackers get access to?
The exploit allows unauthenticated users the ability to add their own “secure key” to a site with the sync plugin. An attacker could have access to the following:
- Add/Remove plugins or themes
- Manipulate content
- Add/Change/Remove users
What does the patch do?
- The patch fixes this vulnerability by validating the “secure key” with the Sync API before allowing it to be added.
What should you do?
- Login to the iThemes Sync dashboard and confirm the iThemes Sync plugin has been updated to 2.0.18 or higher.
- If you have plugin updates turned off, you need to immediately update the iThemes Sync plugin on all your WordPress sites to version 2.0.18.
- If you need to manually update the plugin, you can download the latest version of Sync from your Sync dashboard or from the iThemes Member Panel.
- As an extra precaution, confirm you don’t have any invalid users in Sync by visiting Settings > iThemes Sync from your WordPress admin dashboard. Immediately Unsync any invalid users.
What steps have we taken?
We have forced updates through WordPress.org, the Sync dashboard and Liquid Web’s Managed WordPress/WooCommerce platform. Every site at this point should be on version 2.0.18.
While we hope this precaution will cover 100% of sites currently running the vulnerable version of the plugin, there is a chance that your sites could still be running an outdated version of Sync. So we’re asking that you login to each of your sites with Sync installed and make sure you are running version 2.0.18.
Thank you for your attention to this important security notice. We sincerely apologize for any inconvenience this update may have caused you.
As always, thank you for your understanding and continued support.