Over 1 million WordPress sites affected by OptinMonster plugin flaws

A vulnerability in the popular the OptinMonster plugin allows unauthorized API access and sensitive information disclosure.

A high-severity vulnerability (CVE-2021-39341) in The OptinMonster plugin can allow unauthorized API access and sensitive information disclosure on roughly a million WordPress sites.

The flaw was discovered by Wordfence researcher Chloe Chamberland on September 28, 2021, and the development team behind the plugin addressed it on October 7, 2021.

The OptinMonster WordPress plugin allows creating opt-in forms to convert visitors to subscribers/customers.

The plugin and the OptinMonster app site rely on the use of API endpoints to allow easy integration and simplify the design process.

Chamberland pointed out that the majority of the REST-API endpoints were implemented in an insecure way, allowing unauthenticated attackers to access many of the various endpoints on WordPress websites running vulnerable versions of the plugin.

“The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.” reads the analysis published by Wordfence.

The most critical implementation is related to the ‘/wp-json/omapp/v1/support’ endpoint that can disclose data such as the site’s full path on the server and API keys needed for requests on the OptinMonster site.

An attacker holding the API key could make changes on the OptinMonster accounts or even plant malicious JavaScript snippets on the site.

Chamberland also explained that an unauthenticated attacker can access the API endpoint and bypass security checks using an HTTP request under certain conditions.

An unauthenticated attacker could add malicious JavaScript to a WordPress site running the OptinMonster plugin, to redirect visitors to external malicious domains and sites being completely taken over.

The researcher found other vulnerable REST-API endpoints registered in the plugin that can allow unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions.

Threat actors can exploit the access to this endpoint to conduct malicious activities such as changing settings and viewing campaign data.

Admins of WordPress sites using vulnerable versions of the OptinMonster plugin have to install the 2.6.5 version.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.