Hacking

Over 1 million WordPress sites affected by OptinMonster plugin flaws

A vulnerability in the popular the OptinMonster plugin allows unauthorized API access and sensitive information disclosure.

A high-severity vulnerability (CVE-2021-39341) in The OptinMonster plugin can allow unauthorized API access and sensitive information disclosure on roughly a million WordPress sites.

The flaw was discovered by Wordfence researcher Chloe Chamberland on September 28, 2021, and the development team behind the plugin addressed it on October 7, 2021.

The OptinMonster WordPress plugin allows creating opt-in forms to convert visitors to subscribers/customers.

The plugin and the OptinMonster app site rely on the use of API endpoints to allow easy integration and simplify the design process.

Chamberland pointed out that the majority of the REST-API endpoints were implemented in an insecure way, allowing unauthenticated attackers to access many of the various endpoints on WordPress websites running vulnerable versions of the plugin.

“The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.” reads the analysis published by Wordfence.

The most critical implementation is related to the ‘/wp-json/omapp/v1/support’ endpoint that can disclose data such as the site’s full path on the server and API keys needed for requests on the OptinMonster site.

An attacker holding the API key could make changes on the OptinMonster accounts or even plant malicious JavaScript snippets on the site.

Chamberland also explained that an unauthenticated attacker can access the API endpoint and bypass security checks using an HTTP request under certain conditions.

An unauthenticated attacker could add malicious JavaScript to a WordPress site running the OptinMonster plugin, to redirect visitors to external malicious domains and sites being completely taken over.

The researcher found other vulnerable REST-API endpoints registered in the plugin that can allow unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions.

Threat actors can exploit the access to this endpoint to conduct malicious activities such as changing settings and viewing campaign data.

Admins of WordPress sites using vulnerable versions of the OptinMonster plugin have to install the 2.6.5 version.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

1 hour ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

2 hours ago

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

13 hours ago

Coinbase disclosed a data breach after an extortion attempt

Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…

15 hours ago

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

1 day ago

Kosovo authorities extradited admin of the cybercrime marketplace BlackDB.cc

Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal…

1 day ago