A high-severity issue in the OptinMonster plugin permits unauthorized API access and sensitive information exposure on around a million WordPress sites.
The bug was identified as CVE-2021-39341 by researcher Chloe Chamberland on September 28, 2021, and a fix was released on October 7, 2021. All OptinMonster plugin users should upgrade to version 2.6.5 or later, as all previous versions are impacted.
OptinMonster is a famous WordPress plugin for creating attractive opt-in forms that assist site owners in converting visitors to subscribers or customers. It is essentially a lead generation and monetization tool. OptinMonster has been installed on over a million sites because it is easy to use and has extensive features.
OptinMonster’s strength is based on API endpoints that enable seamless integration and a simplified design process, as described by Chamberland in her vulnerability disclosure report.
However, these endpoints’ implementation isn’t always secure, with the ‘/wp-json/omapp/v1/support’ endpoint being the most crucial example.
This endpoint can provide information on the site’s entire server path, API keys used for site queries, and more. An attacker having access to the API key might modify OptinMonster accounts or inject malicious JavaScript snippets into the website.
Without anyone’s awareness, the site would run this code whenever a visitor engaged an OptinMonster element. To worsen the matters, the attacker wouldn’t even need to log in to the targeted site to gain access to the API endpoint because an HTTP request would escape security checks under specific, simple conditions.
While the ‘/wp-json/omapp/v1/support’ endpoint is the most dangerous, it isn’t the only unsecured REST-API endpoint that may be exploited. The makers of the WordPress plugin OptinMonster understood that the entire API needed to be revisited after receiving the researcher’s findings.
As a result, all OptinMonster upgrades that appear in your WordPress dashboard in the following weeks must be installed, as they will most likely fix more API problems. Meanwhile, any API keys that may have been stolen were instantly invalidated, forcing site owners to generate new keys.
If you own a website, strive to employ the fewest plugins feasible to cover the essential functionality and usability and update plugins as quickly as possible.
