{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27056", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:30.505Z", "datePublished": "2026-02-19T08:20:33.197Z", "dateUpdated": "2026-04-28T16:15:00.906Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ithemes-sync", "product": "iThemes Sync", "vendor": "StellarWP", "versions": [{"changes": [{"at": "3.2.9", "status": "unaffected"}], "lessThanOrEqual": "3.2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:11.689Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in StellarWP iThemes Sync ithemes-sync allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects iThemes Sync: from n/a through <= 3.2.8.</p>"}], "value": "Missing Authorization vulnerability in StellarWP iThemes Sync ithemes-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iThemes Sync: from n/a through <= 3.2.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:00.906Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ithemes-sync/vulnerability/wordpress-ithemes-sync-plugin-3-2-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress iThemes Sync plugin <= 3.2.8 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:38:14.230623Z", "id": "CVE-2026-27056", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:51:19.008Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27056", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:38:14.230623Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:37:35.281Z"}}], "cna": {"title": "WordPress iThemes Sync plugin <= 3.2.8 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "StellarWP", "product": "iThemes Sync", "versions": [{"status": "affected", "changes": [{"at": "3.2.9", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.2.8"}], "packageName": "ithemes-sync", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:53.671Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ithemes-sync/vulnerability/wordpress-ithemes-sync-plugin-3-2-8-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in StellarWP iThemes Sync ithemes-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iThemes Sync: from n/a through <= 3.2.8.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in StellarWP iThemes Sync ithemes-sync allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects iThemes Sync: from n/a through <= 3.2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.748Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27056", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:51:19.008Z", "dateReserved": "2026-02-17T13:23:30.505Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:20:33.197Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in StellarWP iThemes Sync ithemes-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iThemes Sync: from n/a through <= 3.2.8."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en StellarWP iThemes Sync ithemes-sync permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a iThemes Sync: desde n/a hasta &lt;= 3.2.8."}], "id": "CVE-2026-27056", "lastModified": "2026-04-28T16:16:10.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-19T09:16:26.823", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ithemes-sync/vulnerability/wordpress-ithemes-sync-plugin-3-2-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "iThemes Sync", "source": "cna", "vendor": "StellarWP"}, "product": "ithemes_sync", "vendor": "stellarwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:38:46.235005+00:00", "value": {"mitigation_remediation": ["Upgrade iThemes Sync to a version newer than 3.2.8", "Configure WordPress roles so that only administrators can access the plugin\u2019s settings pages", "Block external requests to the plugin\u2019s endpoints except for authenticated users"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all installations of the iThemes Sync plugin from the earliest release up to and including version 3.2.8. Any WordPress site running one of these versions of the plugin is potentially exposed.", "description_and_impact": "A missing authorization check in the StellarWP iThemes Sync plugin allows an attacker to bypass the normally enforced access controls and gain unintended access to the plugin\u2019s administrative functions. This flaw enables users who are not normally granted privileges to perform actions such as viewing, modifying, or deleting synchronization settings, potentially exposing sensitive data stored or transmitted by the plugin. The weakness is a classic example of broken access control as defined by CWE\u2011862.", "risk_and_exploitability": "The CVSS v3 score of 4.3 indicates moderate severity, while the EPSS value of less than 1% suggests a very low probability that the flaw is currently being exploited in the wild. The flaw is not yet listed in the CISA KEV catalog. Based on the plugin\u2019s web\u2011based nature, it is inferred that an attacker would need network access to the WordPress site, and that the attack could be carried out through a typical browser or automated web request performing the unauthorized action once the flaw is leveraged. No special pre\u2011conditions beyond availability of the site and the plugin are stated."}}}}, "created": "2026-02-20T10:11:26.610810+00:00", "updated": "2026-04-16T00:45:15.970164+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$ithemes_sync", "wordpress", "wordpress$PRODUCT$wordpress"]}