Over 1 million WordPress sites affected by OptinMonster plugin flaws

A vulnerability in the popular the OptinMonster plugin allows unauthorized API access and sensitive information disclosure.

A high-severity vulnerability (CVE-2021-39341) in The OptinMonster plugin can allow unauthorized API access and sensitive information disclosure on roughly a million WordPress sites.

The flaw was discovered by Wordfence researcher Chloe Chamberland on September 28, 2021, and the development team behind the plugin addressed it on October 7, 2021.

The OptinMonster WordPress plugin allows creating opt-in forms to convert visitors to subscribers/customers.

The plugin and the OptinMonster app site rely on the use of API endpoints to allow easy integration and simplify the design process.

Chamberland pointed out that the majority of the REST-API endpoints were implemented in an insecure way, allowing unauthenticated attackers to access many of the various endpoints on WordPress websites running vulnerable versions of the plugin.

“The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.” reads the analysis published by Wordfence.

The most critical implementation is related to the ‘/wp-json/omapp/v1/support’ endpoint that can disclose data such as the site’s full path on the server and API keys needed for requests on the OptinMonster site.

An attacker holding the API key could make changes on the OptinMonster accounts or even plant malicious JavaScript snippets on the site.

Chamberland also explained that an unauthenticated attacker can access the API endpoint and bypass security checks using an HTTP request under certain conditions.

An unauthenticated attacker could add malicious JavaScript to a WordPress site running the OptinMonster plugin, to redirect visitors to external malicious domains and sites being completely taken over.

The researcher found other vulnerable REST-API endpoints registered in the plugin that can allow unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions.

Threat actors can exploit the access to this endpoint to conduct malicious activities such as changing settings and viewing campaign data.

Admins of WordPress sites using vulnerable versions of the OptinMonster plugin have to install the 2.6.5 version.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]