A high-severity vulnerability (CVE-2021-39341) in The OptinMonster plugin can allow unauthorized API access and sensitive information disclosure on roughly a million WordPress sites.
The flaw was discovered by Wordfence researcher Chloe Chamberland on September 28, 2021, and the development team behind the plugin addressed it on October 7, 2021.
The OptinMonster WordPress plugin allows creating opt-in forms to convert visitors to subscribers/customers.
The plugin and the OptinMonster app site rely on the use of API endpoints to allow easy integration and simplify the design process.
Chamberland pointed out that the majority of the REST-API endpoints were implemented in an insecure way, allowing unauthenticated attackers to access many of the various endpoints on WordPress websites running vulnerable versions of the plugin.
“The most critical of the REST-API endpoints was the
The most critical implementation is related to the ‘/wp-json/omapp/v1/support’ endpoint that can disclose data such as the site’s full path on the server and API keys needed for requests on the OptinMonster site.
Chamberland also explained that an unauthenticated attacker can access the API endpoint and bypass security checks using an HTTP request under certain conditions.
The researcher found other vulnerable REST-API endpoints registered in the plugin that can allow unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions.
Threat actors can exploit the access to this endpoint to conduct malicious activities such as changing settings and viewing campaign data.
Admins of WordPress sites using vulnerable versions of the OptinMonster plugin have to install the 2.6.5 version.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, cybercrime)