SB2019101014 - Improper authentication in iThemes Sync plugin for WordPress
Published: October 10, 2019 Updated: October 21, 2019
Security Bulletin ID
SB2019101014
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Authentication (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to insufficient secure key validation. A remote authenticated attacker can add his own “secure key” to a site with the sync plugin, bypass authentication process, gain unauthorized access to the application and perform arbitrary actions, such as Add/Remove plugins or themes on your sites, manipulate content on your sites or Add/Change/Remove users on your sites.
.
Remediation
Install update from vendor's website.