Last Updated on 22/11/2021 by Sunaina
Vulnerabilities in OptinMonster, a WordPress email marketing plugin, exposed more than a million websites to exploitation, according to Wordfence security analysts.
If not resolved, the issues allow an unauthenticated attacker to export personal information and inject malicious JavaScript into vulnerable WordPress sites, among other attacks. On September 28, the Wordfence Threat Intelligence team alerted the plugin’s creators of the issue. On October 7, OptinMonster 2.6.5, a completely patched edition, was published. On Wednesday, Wordfence released a security bulletin outlining its findings.
OptinMonster is intended to assist website owners in the generation of eCommerce leads and the creation of sales campaigns on WordPress sites. The programme that heavily relies on API endpoints for integration.
Wordfence security experts uncovered a weakness in the system using this feature that is The bulk of the REST-API endpoints were constructed insecurely, allowing unauthenticated attackers to access many of the numerous endpoints on sites running a vulnerable version of the plugin.
The most concerning of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which revealed sensitive data such as the site’s complete path on the server, as well as the API key required to perform queries on the OptinMonster site.
An attacker with access to the API key might modify any campaign linked with a site’s connected OptinMonster account and insert malicious JavaScript that would run whenever a campaign was shown on the vulnerable site.
The problem is caused by issues with the logged in or has api key function.
As an extra precaution, the “OptinMonster team invalidated all API keys to require site owners to produce new keys in the off possibility that a key had already been hacked,” according to Wordfence, as well as upgrading the plugin software.
According to the most recent WordPress plugin shop statistics, over a quarter (23.6 percent) of the one million OptinMonster installations are running out of current versions. The remaining figure represents all installations in the 2.6 branch, all of which are unsafe below 2.6.5.
There is no more specific analysis of the number of sites that have already updated to 2.6.5 or the most recent 2.6.6 version of OptinMonster, therefore the actual percentage of susceptible instals remains unknown.
Users of OptinMonster are highly advised to update to the most recent, patched version of the plugin (2.6.5 or above), regardless of any supplementary security protection they may have, in order to protect themselves from potential attack.
