WP-Safety

Solid Central – Site Management, Backups, Security, and Reporting Security & Risk Analysis

wordpress.org/plugins/ithemes-sync

Manage multiple WordPress sites from one dashboard.

30K active installs v3.2.9 PHP 7.0+ WP 6.4+ Updated Feb 18, 2026
backupmanage-multiple-websitesmanage-updatesreport-dashboardsecurity
97
A · Safe
CVEs total3
Unpatched0
Last CVENov 7, 2023
Plugin page Download
Safety Verdict

Is Solid Central – Site Management, Backups, Security, and Reporting Safe to Use in 2026?

Generally Safe

Score 97/100

Solid Central – Site Management, Backups, Security, and Reporting has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Nov 7, 2023Updated 1mo ago
Risk Assessment

The iThemes Sync plugin v3.2.9 presents a mixed security posture. On the positive side, the static analysis indicates a limited attack surface, with no immediately unprotected entry points like AJAX handlers or REST API routes without proper checks. The plugin also demonstrates good practices in output escaping, with a high percentage of outputs being properly sanitized, and a reasonable number of capability checks in place. However, significant concerns arise from the presence of dangerous functions like `shell_exec`, `exec`, `system`, and `passthru`. These functions, if misused or exposed to untrusted input, can lead to severe command injection vulnerabilities.

The vulnerability history is also a cause for concern, with a total of 3 known CVEs, including one critical vulnerability. While there are currently no unpatched CVEs, the pattern of past vulnerabilities, including Cross-Site Scripting, CSRF, and Incorrect User Management, suggests potential recurring weaknesses in input validation and access control. The single taint flow with an unsanitized path, while not rated critical or high, warrants careful investigation, especially in conjunction with the dangerous functions identified. The relatively low percentage of SQL queries using prepared statements also indicates a potential for SQL injection vulnerabilities.

In conclusion, while iThemes Sync v3.2.9 has some strengths in its limited attack surface and output sanitization, the use of dangerous system execution functions and the history of critical and medium severity vulnerabilities, coupled with less than ideal SQL preparedness, necessitate caution. The plugin's historical track record and the presence of potent but risky functions point to a need for ongoing vigilance and timely updates.

Key Concerns

  • Presence of dangerous system execution functions
  • History of critical severity vulnerability
  • SQL queries not fully using prepared statements
  • Flows with unsanitized paths identified
  • History of Cross-Site Scripting vulnerabilities
  • History of Cross-Site Request Forgery vulnerabilities
  • History of Incorrect User Management vulnerabilities
Vulnerabilities
3

Solid Central – Site Management, Backups, Security, and Reporting Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
2

3 total CVEs

WF-55234307-9d51-4fe8-bc22-78d32a5fed11-ithemes-syncmedium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Solid Central <= 3.0.0 - Stored Cross-Site Scripting via packages

Nov 7, 2023 Patched in 3.0.1 (77d)
CVE-2023-40001medium · 4.3Cross-Site Request Forgery (CSRF)

iThemes Sync <= 2.1.13 - Cross-Site Request Forgery and Missing Authorization via 'hide_authenticate_notice'

Aug 25, 2023 Patched in 2.1.14 (151d)
WF-6fb01045-d38f-469f-8aaf-ff8882132acc-ithemes-synccritical · 9.8Incorrect User Management

iThemes Sync <= 2.0.17 - Authentication Bypass

Oct 9, 2019 Patched in 2.0.18 (1567d)
Code Analysis
Analyzed Mar 16, 2026

Solid Central – Site Management, Backups, Security, and Reporting Code Analysis

Dangerous Functions
4
Raw SQL Queries
29
10 prepared
Unescaped Output
8
23 escaped
Nonce Checks
3
Capability Checks
7
File Operations
6
External Requests
7
Bundled Libraries
0

Dangerous Functions Found

shell_exec$result = @shell_exec( $command );functions.php:583
exec@exec( $command, $results, $status );functions.php:593
system$return = @system( $command, $status );functions.php:606
passthru$return = @passthru( $command, $status );functions.php:622

SQL Query Safety

26% prepared39 total queries

Output Escaping

74% escaped31 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<load> (load.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Solid Central – Site Management, Backups, Security, and Reporting Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_ithemes_sync_hide_noticeadmin.php:32
WordPress Hooks 86
actioninitadmin.php:31
actionadmin_initadmin.php:33
filterheartbeat_receivedadmin.php:34
filterall_pluginsadmin.php:38
actionall_admin_noticesadmin.php:66
actionall_admin_noticesadmin.php:72
actionall_admin_noticesadmin.php:79
actionadmin_menuadmin.php:87
actionnetwork_admin_menuadmin.php:90
actionall_admin_noticesadmin.php:105
actionall_admin_noticesadmin.php:117
actionload-plugins.phpadmin.php:124
actioninitapi.php:95
actioninitclient-dashboard.php:13
actionnetwork_admin_noticesclient-dashboard.php:29
actionuser_admin_noticesclient-dashboard.php:30
actionadmin_noticesclient-dashboard.php:31
actionall_admin_noticesclient-dashboard.php:32
actionnetwork_admin_noticesclient-dashboard.php:33
actionuser_admin_noticesclient-dashboard.php:34
actionadmin_noticesclient-dashboard.php:35
actionall_admin_noticesclient-dashboard.php:36
actionadmin_menuclient-dashboard.php:40
actionwp_before_admin_bar_renderclient-dashboard.php:43
actionscreen_layout_columnsclient-dashboard.php:46
filtershow_welcome_panelclient-dashboard.php:49
actionadmin_menuclient-dashboard.php:58
actionwp_before_admin_bar_renderclient-dashboard.php:59
actionswitch_themeclient-dashboard.php:61
actionactivate_pluginclient-dashboard.php:62
actiondeactivate_pluginclient-dashboard.php:63
actionupdate_option_active_pluginsclient-dashboard.php:64
actionadd_option_active_pluginsclient-dashboard.php:65
actionupdate_site_option_active_sitewide_pluginsclient-dashboard.php:67
actionadd_site_option_active_sitewide_pluginsclient-dashboard.php:68
actionadmin_footer-index.phpclient-dashboard.php:73
actionall_admin_noticesinit.php:25
actionplugins_loadedload.php:23
actionrest_api_initload.php:40
actioninitload.php:56
actionithemes_updater_registerload.php:125
filtersolid_security_trusted_ipsload.php:144
actioninitload.php:193
actionithemes_sync_daily_scheduleload.php:220
actionwp_headload.php:234
action_core_updated_successfullynotices.php:10
actionactivated_pluginnotices.php:13
actiondeactivated_pluginnotices.php:14
actiondelete_pluginnotices.php:15
actiondeleted_pluginnotices.php:16
actionswitch_themenotices.php:19
actiondelete_site_transient_update_themesnotices.php:20
actionupgrader_process_completenotices.php:23
actionbackupbuddy_run_remote_snapshot_responsenotices.php:26
actionitsec_log_addnotices.php:29
actionitsec_two_factor_interstitial_pre_rendernotices.php:30
actionitsec_site_scanner_scan_completenotices.php:31
actionitsec_vulnerability_not_seennotices.php:32
actionitsec_vulnerability_was_seennotices.php:33
actionshutdownnotices.php:101
actionithemes-sync-add-logrequest-handler.php:62
actionithemes-sync-add-logrequest-handler.php:82
actionshutdownrequest-handler.php:83
actionithemes_sync_verbs_registeredrequest-handler.php:84
filterpre_site_option_duo_ikeyrequest-handler.php:163
filterpre_option_duo_ikeyrequest-handler.php:164
filteruser_has_caprequest-handler.php:256
filtertransient_update_pluginsrequest-handler.php:385
filtersite_transient_update_pluginsrequest-handler.php:386
filterpre_site_transient_update_pluginsrequest-handler.php:392
filterpre_site_transient_update_themesrequest-handler.php:393
filterpre_site_transient_update_corerequest-handler.php:394
filtersite_transient_update_pluginsrequest-handler.php:429
actionithemes_sync_settings_page_loadsettings-page.php:43
actionithemes_sync_settings_page_indexsettings-page.php:44
actionadmin_print_stylessettings-page.php:45
actionadmin_print_scriptssettings-page.php:46
actionshutdownsettings.php:68
actionadmin_post_nopriv_solid_central_refresh_updates_datasrc\Admin_Post\Admin_Post_Handler.php:45
filtertransient_update_pluginssrc\Admin_Post\Admin_Post_Handler.php:157
filtersite_transient_update_pluginssrc\Admin_Post\Admin_Post_Handler.php:158
filterpre_site_transient_update_pluginssrc\Admin_Post\Admin_Post_Handler.php:172
filterpre_site_transient_update_themessrc\Admin_Post\Admin_Post_Handler.php:173
filterpre_site_transient_update_coresrc\Admin_Post\Admin_Post_Handler.php:174
actionshutdownsrc\Central_Server\Central_Server_Notifier.php:64
actionupgrader_process_completeverbs\do-update.php:49

Scheduled Events 1

ithemes_sync_daily_schedule
Maintenance & Trust

Solid Central – Site Management, Backups, Security, and Reporting Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 18, 2026
PHP min version7.0
Downloads1.4M

Community Trust

Rating84/100
Number of ratings5
Active installs30K
Alternatives

Solid Central – Site Management, Backups, Security, and Reporting Alternatives

Jetpack – WP Security, Backup, Speed, & Growth

Jetpack – WP Security, Backup, Speed, & Growth

jetpack

A
87

Improve your WP security with powerful one-click tools like backup, WAF, and malware scan. Includes free tools like stats, CDN and social sharing.

3.0M 24 CVEs
ManageWP Worker

ManageWP Worker

worker

A
98

A better way to manage dozens of WordPress websites.

1.0M 1 CVE
MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

mainwp-child

A
91

MainWP Child establishes a secure link between your WordPress sites and your self-hosted MainWP Dashboard, simplifying site management.

700K 7 CVEs
InfiniteWP Client

InfiniteWP Client

iwp-client

A
90

Install this plugin on unlimited sites and manage them all from a central dashboard. This plugin communicates with your InfiniteWP Admin Panel.

200K 7 CVEs
Modular DS: Monitor, update, and backup multiple websites

Modular DS: Monitor, update, and backup multiple websites

modular-connector

A
87

Manage all your WordPress sites from one place. Automate updates, backups, uptime monitoring, security, maintenance reports, and more.

40K 3 CVEs
Developer Profile

Solid Central – Site Management, Backups, Security, and Reporting Developer Profile

StellarWP

26 plugins · 3.1M total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
462 days
View full developer profile
Detection Fingerprints

How We Detect Solid Central – Site Management, Backups, Security, and Reporting

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ithemes-sync/css/admin-notice.css/wp-content/plugins/ithemes-sync/js/admin-notice.js
Script Paths
/wp-content/plugins/ithemes-sync/js/admin-notice.js
Version Parameters
ithemes-sync/css/admin-notice.css?ver=ithemes-sync/js/admin-notice.js?ver=

HTML / DOM Fingerprints

CSS Classes
ithemes-sync-noticeithemes-sync-notice-buttonithemes-sync-notice-hide
Data Attributes
data-dismiss-nonce
JS Globals
ithemes_sync_notice
FAQ

Frequently Asked Questions about Solid Central – Site Management, Backups, Security, and Reporting