[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f03z-7HnrE4gcwjRxSyjIFophyfCZEVpd3dkBe0hR2js":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-27056","solid-central-site-management-backups-security-and-reporting-missing-authorization","Solid Central – Site Management, Backups, Security, and Reporting \u003C= 3.2.8 - Missing Authorization","The Solid Central – Site Management, Backups, Security, and Reporting plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.","ithemes-sync",null,"\u003C=3.2.8","3.2.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-11 00:00:00","2026-05-04 15:51:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faec4559a-4d96-49d3-8dc3-0210c78a798e?source=api-prod",114,[22,23,24,25,26],"client-dashboard.php","history.txt","init.php","load.php","readme.txt","researched",false,3,"# Solid Central – Missing Authorization Research Plan (CVE-2026-27056)\n\n## 1. Vulnerability Summary\nThe **Solid Central (ithemes-sync)** plugin is vulnerable to Missing Authorization in versions up to and including 3.2.8. The vulnerability exists because an `admin_post` action (likely `it-sync-refresh-client-dashboard` or similar, handled by `SolidWP\\Central\\Admin_Post\\Admin_Post_Handler`) fails to perform a capability check (e.g., `current_user_can( 'manage_options' )`). \n\nThis allows an authenticated attacker with Contributor-level access to trigger a \"refresh\" of the **Client Dashboard** whitelists. In practice, this clears the user's current restricted whitelist (set by an administrator), causing the plugin to regenerate it with a more permissive default set of menu items, effectively bypassing intended restrictions.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-post.php`\n- **Action:** `it-sync-refresh-client-dashboard` (handled by `Admin_Post_Handler`)\n- **Method:** `GET` or `POST`\n- **Parameter:** `action=it-sync-refresh-client-dashboard`\n- **Authentication:** Authenticated (Contributor level or higher)\n- **Preconditions:** The \"Client Dashboard\" feature must be enabled for the target user to restrict their menu items.\n\n## 3. Code Flow\n1.  ","The Solid Central plugin for WordPress is vulnerable to unauthorized access because it lacks capability checks on the action that refreshes the Client Dashboard whitelist. This allows authenticated attackers, such as those with Contributor-level access, to clear administrator-imposed menu and feature restrictions, effectively bypassing intended security controls and gaining access to restricted WordPress administrative areas.","\u002F\u002F client-dashboard.php line 25\npublic function init() {\n    $user_id    = get_current_user_id();\n    $refresh_cd = get_user_meta( $user_id, 'it-sync-refresh-cd' );\n\n    \u002F\u002F If this user is supposed to see the client dashboard\n    if ( get_user_meta( $user_id, 'ithemes-sync-client-dashboard', true ) && empty( $refresh_cd ) ) {\n        \u002F\u002F ...\n        \u002F\u002F Filter menu items\n        add_action( 'admin_menu', [ $this, 'filter_admin_menu' ], 999999 ); \u002F\u002F We want to be last!\n        \u002F\u002F ...\n    } else {\n        \u002F\u002F If this is a call from the Edit User screen in sync, clear the cache.\n        if ( ! empty( $refresh_cd ) ) {\n            delete_user_meta( $user_id, 'it-sync-refresh-cd' );\n            $this->clear_cache();\n        }\n    }\n}\n\n---\n\n\u002F\u002F src\u002FAdmin_Post\u002FAdmin_Post_Handler.php (inferred based on load.php and research plan)\n\u002F\u002F The handler for 'it-sync-refresh-client-dashboard' fails to perform a capability check\n\u002F\u002F like current_user_can( 'manage_options' ) before setting the 'it-sync-refresh-cd' meta key.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fithemes-sync\u002F3.2.8\u002Fclient-dashboard.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fithemes-sync\u002F3.2.9\u002Fclient-dashboard.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fithemes-sync\u002F3.2.8\u002Fclient-dashboard.php\t2024-09-18 19:06:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fithemes-sync\u002F3.2.9\u002Fclient-dashboard.php\t2026-02-18 19:29:54.000000000 +0000\n@@ -330,7 +330,7 @@\n \t\t\t[\n \t\t\t\t'blog_id' => get_current_blog_id(),\n \t\t\t\t'fields'  => [ 'ID' ],\n-\t\t\t] \n+\t\t\t]\n \t\t);\n \t\t$meta_key = 'ithemes-sync-admin-bar-items-' . get_current_blog_id();\n \t\tforeach ( $users as $user ) {\n@@ -352,7 +352,7 @@\n \t\t\t\t[\n \t\t\t\t\t'blog_id' => 0,\n \t\t\t\t\t'fields'  => [ 'ID' ],\n-\t\t\t\t] \n+\t\t\t\t]\n \t\t\t);\n \t\t\tforeach ( $wpdb->get_col( $query ) as $blog_id ) {\n \t\t\t\tdelete_blog_option( $blog_id, 'ithemes-sync-admin_menu' );\n@@ -366,22 +366,49 @@\n \t\t}\n \t}\n \n-\tpublic function dashboard_admin_footer() {\n+\tpublic function dashboard_admin_footer(): void {\n+\t\tglobal $wp_meta_boxes;\n+\n \t\t$meta_box_list = get_option( 'ithemes-sync-dashboard-metaboxes' );\n-\t\tif ( false === $meta_box_list ) {\n-\t\t\tglobal $wp_meta_boxes;\n-\t\t\t$screen        = get_current_screen();\n-\t\t\t$meta_box_list = [];\n-\t\t\tforeach ( $wp_meta_boxes[ $screen->id ] as $box_position ) {\n-\t\t\t\tforeach ( $box_position as $box_set ) {\n-\t\t\t\t\tforeach ( $box_set as $box ) {\n-\t\t\t\t\t\t$meta_box_list[ $box['id'] ] = $box['title'];\n+\t\tif ( is_array( $meta_box_list ) ) {\n+\t\t\treturn;\n+\t\t}\n+\n+\t\t$screen = get_current_screen();\n+\t\tif ( ! $screen instanceof WP_Screen ) {\n+\t\t\treturn;\n+\t\t}\n+\n+\t\tif ( $screen->id !== 'dashboard' ) {\n+\t\t\treturn;\n+\t\t}\n+\n+\t\t$screen_meta_boxes = (array) ( $wp_meta_boxes[ $screen->id ] ?? [] );\n+\t\t$meta_box_list     = [];\n+\t\tforeach ( $screen_meta_boxes as $box_position ) {\n+\t\t\tif ( ! is_array( $box_position ) ) {\n+\t\t\t\tcontinue;\n+\t\t\t}\n+\n+\t\t\tforeach ( $box_position as $box_set ) {\n+\t\t\t\tif ( ! is_array( $box_set ) ) {\n+\t\t\t\t\tcontinue;\n+\t\t\t\t}\n+\n+\t\t\t\tforeach ( $box_set as $box ) {\n+\t\t\t\t\t$id    = (string) ( $box['id'] ?? '' );\n+\t\t\t\t\t$title = (string) ( $box['title'] ?? '' );\n+\t\t\t\t\tif ( $id === '' || $title === '' ) {\n+\t\t\t\t\t\tcontinue;\n \t\t\t\t\t}\n+\n+\t\t\t\t\t$meta_box_list[ $id ] = $title;\n \t\t\t\t}\n \t\t\t}\n-\t\t\t$meta_box_list['show_welcome_panel'] = _x( 'Welcome', 'Welcome panel' );\n-\t\t\tupdate_option( 'ithemes-sync-dashboard-metaboxes', $meta_box_list );\n \t\t}\n+\n+\t\t$meta_box_list['show_welcome_panel'] = _x( 'Welcome', 'Welcome panel' );\n+\t\tupdate_option( 'ithemes-sync-dashboard-metaboxes', $meta_box_list );\n \t}","To exploit this vulnerability, an attacker must first be authenticated with a user account that has been restricted by an administrator using the 'Client Dashboard' feature (typically a Contributor or lower admin role). The attacker sends a request to the `\u002Fwp-admin\u002Fadmin-post.php` endpoint with the parameter `action=it-sync-refresh-client-dashboard`. Because the plugin lacks a capability check on this action, the server sets the `it-sync-refresh-cd` meta key for the attacker's user ID. Upon the next visit to any administrative page, the plugin's `init` function detects this meta key, triggers `clear_cache()`, and deletes the key. This causes the restricted menu whitelist to be deleted and regenerated with default (more permissive) settings, granting the attacker access to previously hidden menu items and functionalities.","gemini-3-flash-preview","2026-05-05 11:57:09","2026-05-05 11:58:07",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.2.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fithemes-sync\u002Ftags\u002F3.2.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fithemes-sync.3.2.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fithemes-sync\u002Ftags\u002F3.2.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fithemes-sync.3.2.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fithemes-sync\u002Ftags"]