A high-severity security flaw in The OptinMonster plugin allows unauthorised API access on around a million WordPress sites.
- The high-severity flaw was identified as CVE-2021-39341.
- The plugin developer has invalidated all API keys, forcing users to generate new ones.
A high-severity security flaw in The OptinMonster plugin allows unauthorised API access on around a million WordPress sites.
Wordfence researcher Chloe Chamberland discovered the flaw tracked as CVE-2021-39341 on September 28, 2021, and the development team behind the plugin addressed it on October 7, 2021.
OptinMonster is a famous WordPress plugin for creating opt-in forms that assist site owners in converting visitors to subscribers or customers. It is essentially a lead generation and monetisation tool. OptinMonster has been installed on over a million sites because it is easy to use and has extensive features.
According to Chamberland, most of the REST-API endpoints were implemented in an insecure way, allowing unauthenticated attackers to access many of the various endpoints on WordPress websites running vulnerable versions of the plugin.
“The most critical of the REST-API endpoints was the `/wp-json/omapp/v1/support’ endpoint, which disclosed sensitive information like the site’s entire server path, along with the API keys needed to make requests on the OptinMonster site.
With access to the API key, an attacker could modify any campaign associated with a site’s connected OptinMonster account and inject malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.
The researcher found other vulnerable REST-API endpoints enrolled in the plugin that can allow unauthenticated visitors or authenticated users with minimal permissions to perform unauthorised actions.
The attacker is not required to log in to the targeted site to access the API endpoint because an HTTP request would bypass security checks under specific, simple conditions.
Threat actors can exploit the access to this endpoint to conduct malicious activities such as changing settings and viewing campaign data.
All OptinMonster plugin users should upgrade to version 2.6.5 or later, as all previous versions are impacted.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?