iThemes Sync < 2.1.14 – Cross-Site Request Forgery and Missing Authorization via 'hide_authenticate_notice' | CVE 2023-40001 | Plugin Vulnerabilities

Description

The iThemes Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.13. This is due to missing or incorrect nonce validation on the hide_authenticate_notice function. This makes it possible for unauthenticated attackers to hide admin notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Authorization was also missing, which allowed subscribers to dismiss notices via AJAX request.

Affects Plugins

Fixed in 2.1.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9229f2-e7dd-43c9-9c15-9b76c13e895b

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

67ad1c04-f314-4c4b-9aad-84202ee0ec70

Timeline

Publicly Published

2023-08-25 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2023-11-24 (about 2 years ago)

Other

Published

Title

Published

2023-01-18

Title

DNUI <= 2.8.1 - Deletion of images through CSRF

Published

2025-06-05

Title

Free WP Mail SMTP <= 1.0 - Cross-Site Request Forgery

Published

2025-06-27

Title

MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet < 3.2.1 - Cross-Site Request Forgery to Settings Reset

Published

2024-02-12

Title

Multi Step Form < 1.7.19 - Form Deletion via CSRF

Published

2025-09-16

Title

USS Upyun < 1.5.1 - Cross-Site Request Forgery