WP-Safety
CVE-2026-27056

Solid Central – Site Management, Backups, Security, and Reporting <= 3.2.8 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.2.9
Patched in
114d
Time to patch

Description

The Solid Central – Site Management, Backups, Security, and Reporting plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.2.8
PublishedJanuary 11, 2026
Last updatedMay 4, 2026
Affected pluginithemes-sync

What Changed in the Fix

Changes introduced in v3.2.9

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.2.8
Browse source Download .zip
Patched v3.2.9
Browse source Download .zip
Research Plan
Unverified

# Solid Central – Missing Authorization Research Plan (CVE-2026-27056) ## 1. Vulnerability Summary The **Solid Central (ithemes-sync)** plugin is vulnerable to Missing Authorization in versions up to and including 3.2.8. The vulnerability exists because an `admin_post` action (likely `it-sync-refre…

Show full research plan

Solid Central – Missing Authorization Research Plan (CVE-2026-27056)

1. Vulnerability Summary

The Solid Central (ithemes-sync) plugin is vulnerable to Missing Authorization in versions up to and including 3.2.8. The vulnerability exists because an admin_post action (likely it-sync-refresh-client-dashboard or similar, handled by SolidWP\Central\Admin_Post\Admin_Post_Handler) fails to perform a capability check (e.g., current_user_can( 'manage_options' )).

This allows an authenticated attacker with Contributor-level access to trigger a "refresh" of the Client Dashboard whitelists. In practice, this clears the user's current restricted whitelist (set by an administrator), causing the plugin to regenerate it with a more permissive default set of menu items, effectively bypassing intended restrictions.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-post.php
  • Action: it-sync-refresh-client-dashboard (handled by Admin_Post_Handler)
  • Method: GET or POST
  • Parameter: action=it-sync-refresh-client-dashboard
  • Authentication: Authenticated (Contributor level or higher)
  • Preconditions: The "Client Dashboard" feature must be enabled for the target user to restrict their menu items.

3. Code Flow

Research Findings
Static analysis — not yet PoC-verified

Summary

The Solid Central plugin for WordPress is vulnerable to unauthorized access because it lacks capability checks on the action that refreshes the Client Dashboard whitelist. This allows authenticated attackers, such as those with Contributor-level access, to clear administrator-imposed menu and feature restrictions, effectively bypassing intended security controls and gaining access to restricted WordPress administrative areas.

Vulnerable Code

// client-dashboard.php line 25
public function init() {
    $user_id    = get_current_user_id();
    $refresh_cd = get_user_meta( $user_id, 'it-sync-refresh-cd' );

    // If this user is supposed to see the client dashboard
    if ( get_user_meta( $user_id, 'ithemes-sync-client-dashboard', true ) && empty( $refresh_cd ) ) {
        // ...
        // Filter menu items
        add_action( 'admin_menu', [ $this, 'filter_admin_menu' ], 999999 ); // We want to be last!
        // ...
    } else {
        // If this is a call from the Edit User screen in sync, clear the cache.
        if ( ! empty( $refresh_cd ) ) {
            delete_user_meta( $user_id, 'it-sync-refresh-cd' );
            $this->clear_cache();
        }
    }
}

---

// src/Admin_Post/Admin_Post_Handler.php (inferred based on load.php and research plan)
// The handler for 'it-sync-refresh-client-dashboard' fails to perform a capability check
// like current_user_can( 'manage_options' ) before setting the 'it-sync-refresh-cd' meta key.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/ithemes-sync/3.2.8/client-dashboard.php /home/deploy/wp-safety.org/data/plugin-versions/ithemes-sync/3.2.9/client-dashboard.php
--- /home/deploy/wp-safety.org/data/plugin-versions/ithemes-sync/3.2.8/client-dashboard.php	2024-09-18 19:06:28.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/ithemes-sync/3.2.9/client-dashboard.php	2026-02-18 19:29:54.000000000 +0000
@@ -330,7 +330,7 @@
 			[
 				'blog_id' => get_current_blog_id(),
 				'fields'  => [ 'ID' ],
-			] 
+			]
 		);
 		$meta_key = 'ithemes-sync-admin-bar-items-' . get_current_blog_id();
 		foreach ( $users as $user ) {
@@ -352,7 +352,7 @@
 				[
 					'blog_id' => 0,
 					'fields'  => [ 'ID' ],
-				] 
+				]
 			);
 			foreach ( $wpdb->get_col( $query ) as $blog_id ) {
 				delete_blog_option( $blog_id, 'ithemes-sync-admin_menu' );
@@ -366,22 +366,49 @@
 		}
 	}
 
-	public function dashboard_admin_footer() {
+	public function dashboard_admin_footer(): void {
+		global $wp_meta_boxes;
+
 		$meta_box_list = get_option( 'ithemes-sync-dashboard-metaboxes' );
-		if ( false === $meta_box_list ) {
-			global $wp_meta_boxes;
-			$screen        = get_current_screen();
-			$meta_box_list = [];
-			foreach ( $wp_meta_boxes[ $screen->id ] as $box_position ) {
-				foreach ( $box_position as $box_set ) {
-					foreach ( $box_set as $box ) {
-						$meta_box_list[ $box['id'] ] = $box['title'];
+		if ( is_array( $meta_box_list ) ) {
+			return;
+		}
+
+		$screen = get_current_screen();
+		if ( ! $screen instanceof WP_Screen ) {
+			return;
+		}
+
+		if ( $screen->id !== 'dashboard' ) {
+			return;
+		}
+
+		$screen_meta_boxes = (array) ( $wp_meta_boxes[ $screen->id ] ?? [] );
+		$meta_box_list     = [];
+		foreach ( $screen_meta_boxes as $box_position ) {
+			if ( ! is_array( $box_position ) ) {
+				continue;
+			}
+
+			foreach ( $box_position as $box_set ) {
+				if ( ! is_array( $box_set ) ) {
+					continue;
+				}
+
+				foreach ( $box_set as $box ) {
+					$id    = (string) ( $box['id'] ?? '' );
+					$title = (string) ( $box['title'] ?? '' );
+					if ( $id === '' || $title === '' ) {
+						continue;
 					}
+
+					$meta_box_list[ $id ] = $title;
 				}
 			}
-			$meta_box_list['show_welcome_panel'] = _x( 'Welcome', 'Welcome panel' );
-			update_option( 'ithemes-sync-dashboard-metaboxes', $meta_box_list );
 		}
+
+		$meta_box_list['show_welcome_panel'] = _x( 'Welcome', 'Welcome panel' );
+		update_option( 'ithemes-sync-dashboard-metaboxes', $meta_box_list );
 	}

Exploit Outline

To exploit this vulnerability, an attacker must first be authenticated with a user account that has been restricted by an administrator using the 'Client Dashboard' feature (typically a Contributor or lower admin role). The attacker sends a request to the `/wp-admin/admin-post.php` endpoint with the parameter `action=it-sync-refresh-client-dashboard`. Because the plugin lacks a capability check on this action, the server sets the `it-sync-refresh-cd` meta key for the attacker's user ID. Upon the next visit to any administrative page, the plugin's `init` function detects this meta key, triggers `clear_cache()`, and deletes the key. This causes the restricted menu whitelist to be deleted and regenerated with default (more permissive) settings, granting the attacker access to previously hidden menu items and functionalities.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/aec4559a-4d96-49d3-8dc3-0210c78a798e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database